CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Vulnerability Review For 2013

There were 1,137 discovered vulnerabilities in 2012; however 84% of these vulnerabilities had patches available on the day of disclosure; according to Secunia's Vulnerability Review for 2013. On a positive note this means that, with timely patching, organizations and private users have the possibility to remediate the majority of vulnerabilities – the root cause of security issues. However, to balance the picture, Secunia found that 16% of vulnerabilities in 2012 were without patches for longer than the first day of disclosure. Possible reasons for such delays include lack of vendor resources, uncoordinated releases, zero-days or vulnerabilities in End-of-Life products.

With vulnerabilities, timing is crucial therefore what is a best practice approach for patching software?

Frameworks, such as the 'SANS Institute's '20 Critical Controls' can support organizations with this challenge. Implementing all controls in their entirety may not be feasible for many organizations, therefore in the context of vulnerability management, SANS outlines a set of 'first five' quick wins – e.g. 'first five' #3 & #4: "Implement automated patching tools and processes that ensure security patches are installed within 48 hours of their release for both applications and for operating system software." Implementing a 48 hour timeline for applying all security patches could be challenging. Alternatively, concrete results in risk reduction can be achieved by prioritizing, patching and targeting the 48 hour threshold for the most critical patches (i.e. those representing the greatest risk of exploitation).

A best practice patch management solution can offer full support to address the challenges of visibility, configuration, assessment, prioritization and mitigation of threats. Here is an example of an implementation model with a focus on technology for 'first five' #3 and #4 – Patching tools and processes:

  1. Identify which applications are business-critical. Use the baseline to implement the white list.
  2. Set the standard secure configuration baseline for your OS(s) and ensure that administrative privileges are limited (e.g. only the relevant employees have such privileges).
  3. Use a vulnerability scanning solution to scan the machines and OS(s) for the applications running in your environment, and correlate the inventory with the solution’s vulnerability database.
  4. Use the results to prioritize the work, then the solution's packaging system to ensure the appropriate configuration of the updates and its integration capabilities to enable faster deployment of patches.

The alternative manual approach to patching is extremely complex, unreliable and eats into your team’s time and resources.

CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.