At work one of my unofficial tasks is to review the current CVE list. We have been asked in the past several times if a vulnerability affects us and we have to quickly find out if it does. Now we (actually just me) check every day for updates from the prior day against a list of software that we use. We use a simple XLS to track the CVE, product, date and high level description and a summary is sent out the various team members to investigate. It has paid off as we knew about a vulnerability before being asked about it and quickly responded to senior management with what was being done if impacted.
This allows us to identify any potential impacts, verify if we are or are not impacted. If impacted then what are the mitigation steps required before the fix and when will the fix be installed.
The part that I find annoying is that many of the vulnerabilities can be prevented by the app developers during testing. I suspect that management or marketing is pressuring the developers to push out the code and let the users and others find the bugs.
Terminology
CVE is Common Vulnerability and Exposures. WIKI for CVE.
CVSS is Common Vulnerability Scoring System. WIKI CVSS.
EPSS is Exploit Prediction Scoring System. WIKI for EPSS.
Buffer overflow. WIKI Buffer overflow.
Cross-Site Request Forgery (XSRF). WIKI XSRF.
Cross Site Scripting (XSS). WIKI XSS.
Race condition. WIKI Race condition.
SQL injection. WIKI SQL Injection.
No comments:
Post a Comment