I’ve seen it in my work countless times…various web security vulnerabilities being flagged as high or even critical risk when the issues really don’t mean much at all. Earlier on in my information security career, I had the mindset that all security vulnerabilities must be addressed. Working for myself, I quickly learned that claiming that the sky is falling for every little security finding is a surefire way to lose credibility. You see, regardless of what these vulnerabilities meant to the business, I, the all-knowing technical professional, believed that everything mattered. However, it didn’t take long to realize that’s not how business works, and I had to pull back on my exploit paranoia quite a bit.
That was over two decades ago but fast forward to today and the issue of many findings flagged by vulnerability scanners and even manual penetration testing are still often treated the same. The people uncovering them will claim:
They’re exposing the network.
They’re going to get you into trouble…
Interestingly, it’s rare to see this hype and paranoia backed up by facts or meaningful logic. “It’s a big deal because I said so’’, is the assertion. It’s not unlike the doctor who finds health “opportunities” in a patient’s blood work or the auto mechanic who suggests that every possible issue found on a car needs to be addressed immediately. When every security flaw is deemed important, it creates chaos at the business level. In the short term, precious resources are wasted addressing such findings. Longer-term, these things add up to create true dysfunction in an overall security program which, ironically, makes the organization more susceptible to the risks that matter.
A dozen or so times per year, through a special business relationship that I have, I consult with large corporations on vulnerability management. Specifically, I’m asked about how to get started and how to find the gaps and weaknesses so that these security teams can build out their vulnerability management programs. Predictably, the biggest challenge I see in these organizations — some of which have dozens of people on their security teams — is not being able to fix all of the findings that are uncovered in vulnerability and penetration testing. At the root of this is the desire for IT and security professionals to have a clean network environment devoid of any security problems. Although it might sound good on paper and impress some people who don’t fully understand the challenges associated with IT and security, this striving for perfection only serves to set everyone, including the business itself, up for failure over the long term.
Not knowing which vulnerabilities to focus on is rooted in not fully understanding their impact to the business. When security professionals fail to determine this, it’s virtually guaranteed that those people responsible for vulnerability remediation, i.e. network admins and developers, will misunderstand both the problem and the solution. It’s okay to not address all of your vulnerabilities. In fact, most of them are likely best practice type items that you may or may not get to at some point. And that’s okay. What matters, though, are the ones that can be directly exploited or that can be indirectly used against the business in some way.
In the context of web security, SQL injection, cross-site scripting, and user session management come to mind. Of course, there are many other possibilities, but it all depends on the context of the specific vulnerability in your own unique environment. A wiser and more measured approach to determine where to focus your remediation efforts would be to determine the most critical flaws affecting your most important systems. If you’re able to master your vulnerabilities at that level then you will have the standards, processes, and insight to eventually roll it out to all systems across the board if you choose to do so. But right now, you must focus on the things that matter most. To treat all vulnerabilities the same is a recipe for distraction and facilitating the very security events you’re trying to prevent in the first place.
When it comes to the results of your vulnerability scanning and penetration testing, ask yourself the following questions:
1) Does this finding meet our security standards and warrant a response?
2) What is the business risk?
3) How will our business be impacted?
4) What is the worst possible outcome?
5) What can we do right now to minimize the risk? Is there a compensating control we can put in place, or should the risk be accepted, and we move on?
Effective information risk management requires critical thinking. Don’t treat everything the same. Dig in further with your web security testing. Be as precise as you can. Understand the actual impact of each flaw and the specific outcomes in your business setting. This is the only way that you’ll be able to properly address the handful of findings that truly matter. Approaching security in this manner might take longer upfront until your process is mastered but it will pay off immensely over the long haul in terms of focal points for minimizing the time, effort, and money invested.
In the context of web security, most things are noise. Filter out as much of it as you can, and your highest payoff areas will become clear.