When it comes to remediation of vulnerabilities, there is a two fold approach that needs to be adopted by every organisation. First comes the elimination of all false positive findings and prioritization of the relevant ones. Without this initial step, everything you do can simply be a waste of time even though you think you are putting in all the hard work to stay on top of vulnerabilities. Speed is good only if you are going at the right direction, otherwise you are only drifting away from your destination faster. Second step is the remediation of all relevant vulnerabilities as quickly as possible. We think of the first step as fastening the seat belt while the second step is taking off at full throttle.
The first step involves preparation and requires expertise to identify which vulnerabilities matter and which do not. The chances of same vulnerability posing same amount of threat to two different organisations is quite slim, and even slimmer in case they operate in different industries. Laying out which vulnerabilities are more likely to be a real threat and which can be left for later is one of the most crucial decisions that need to be taken by a security engineer. Considering the lack of resources at security department and the bitter fact that only 1 out of every 10 vulnerability can be resolved each month on average, it is crucial to be precise about which ones you will be working on. Picking the wrong vulnerability, you may end up wasting your precious resources. Threat modelling is extremely helpful for speeding up the prioritization and elimination process as you already have a blueprint of what might potentially harm you considering the architectural structure of your application. Therefore, we strongly encourage our customers to go through the threat modelling phase so they reap the benefits in the future.
After ensuring that you are ready to take off, there are two north star metrics that you always need to bear in mind. You can rely on them to show whether you are doing better or worse compared to past. First one of them is the mean time to fix. This metric shows you how well you are performing in terms of the velocity at which you are resolving vulnerabilities. While this figure may vary from organisation to organisation, what we see as best practice is, regardless of how high this number is at t-0, we need to try bringing it down as much as possible and never letting it go up. Anything related to longevity of time is quite useless when trying to come up with universal best practices. We believe, the right approach is only trying to perform better than yesterday and keep it up until you reach a sweet spot in line with your risk perception. Bench marking your mean time to fix with other players in your industry can be useful to keep up with the competition. However, if you are already performing better than the competition, there should be no room to slack off. The goal, as we have mentioned, is always to outperform yourself.
Second metric we really care about is the window of exposure which indicates the average time vulnerabilities stay alive on your system. Although it is strongly correlated with the mean time to fix metric, there is a nuance here. If you analyze mean time to fix without weeding out the open vulnerabilities, you are clearly looking at a distorted number. You probably do not have enough resources to start working on each vulnerability at the same time and it is not fair to say that you are taking too long to close issues even though you have not been able to work on them yet. If a critical (critical not as a severity category shown by a scanner, but critical for your organisation considering the impact it may have) vulnerability has been around for too long, you’d better know about it and take some action before it harms your entity. However there are times when one critical vulnerability is more critical than another critical vulnerability and just because you can only work on one should not mean your mean time to fix should be affected negatively.
All in all, your remediation performance is decisive in the overall security posture of your organisation. Poorly performing teams will face a higher overall risk and considering the enormous risks associated with security breaches, no security team has the luxury to take remediation lightly. Even though remediation might be on developers’ plates in most organisations, decision of what needs to be fixed and what not needs to be taken by security departments. Assigning issues to developers is just kicking-off to start the game whereas keeping an eye on the remediation process to make sure vulnerabilities are fixed in a timely manner is a winning goal scored in the extra time. It is a tough game against vulnerabilities popping up from every corner and winning requires constant determination and concentration.