Security for Everyone≫Part III: Securing Your Startup≫Vulnerability Management≫

How Vulnerabilities Are Discovered and Tracked

1 link

From

editione1.0.0

Updated October 9, 2023

Now Available

Security for Everyone

Let’s have a look at the vulnerability discovery process together.

Figure: Vulnerabilities are continuously found, published, and analyzed by the security community.

Search: Security researchers identify software of interest and focus on finding vulnerabilities. It’s like being a treasure hunter, every day looking for one little bit of a clue to find your next vulnerability.
Discover: A vulnerability is identified and tested. This could take days or weeks or months, depending on the complexity of the technology and the skill of the researcher.
Share: When they are ready, the researcher shares the details. They send the details of the flaw and an assessment of its risk to an organization such as the US National Institute of Standards and Technology (NIST), which collates and disseminates details of known vulnerabilities. Other organizations exist around the world serving the same role.
Publish: The vulnerability is assessed by NIST and published within the directory. RSS feeds notify subscribers that this vulnerability has been found.
Analyze: Vulnerability researchers examine the new flaw, and may expand or adapt on the published vulnerability to create proofs of concept and attack tools, or identify further vulnerabilities.

And so, the cycle continues.

Being Aware of Current Vulnerabilities

There are a range of great sources to use to keep up to date with security vulnerabilities: social media, vendor websites, CVE Details, RSS and news feeds, newsletters, podcasts, and so on. Please remember though, with each of these places, they each have a different motivation for sharing vulnerability information.

Table: Ways to Learn about Vulnerabilities

Information Source	What to Watch For
Social Media	A great source of varied opinions, often available without charge, social media hosts a range of security news feeds that announce vulnerabilities and updates. Buyer beware however, social media is rife with misinformation and not everyone sharing security know-how is credible. Use your research skills to review your sources before trusting.
Vendor Websites	Tool and technology manufacturers may provide details of vulnerabilities as part of change notes, updates, or disclosures. Please remember however that most vendors are not obliged to announce if they have had a security issue unless it is mandated by law. Security details may be buried deep in technical patch notes or just listed as “Updates to security” on a new software release.
Government Advisories	Many countries have centralized government bodies that help coordinate and communicate critical information security information to affected businesses and organizations. This may be your local CERT (computer emergency response team) or a larger organization such as NIST (the USA National Institute for Standards and Technology, which includes a number of security departments). Look at your local and national government entities and identify and notification services you can subscribe to. They are also a great source of support if something goes wrong with the security of your own organization or product.
Scanning tools	Tools that can be built into your development and technical environments to identify components with known vulnerabilities such as Snyk or spot issues with configuration of components such as AWS Inspector.

If you found this post worthwhile, please share!

Related sections

Who This Book Is For

Is My Email Provider Secure?

How to Lock Down Your Devices

Management, Prevention, and Response Domains

Responding to a Security Vulnerability