Owasp vulnerability Management Guide (ovmg) June 1, 2020
Yüklə 1,27 Mb. Pdf görüntüsü
|
|
2 Reporting Cycle
The reporting cycle targets activities that help an organization understand vulnerability in a measurable way. The principal activities are focused on learning, categorizing and creating organizational, meaningful metrics that would become the cornerstone of vulnerability management reports. This should be followed by assigning work for remediation. 2.1 Asset Groups 2.1 TASK INPUT OUTPUT Create Asset Groups 1.1 Scope 2.3 Audit Trail 1.3 Run Tests 2.4 Reports 3.1 Prioritize # TO-DO WHY 2.1.1 Determine functional asset groups Understand what assets are mission-critical and what is not. Gather this information if the asset management tool is not available by talking to your management and coworkers. Think about how long the asset could be unavailable without causing damage to the business? Within a broader group of assets, web servers, for instance, create meaningful asset groups that could be used in vulnerability reports. Examples may include but not limited to location, department, and type of the asset (virtual vs. HD, cloud vs. data center, e.g.). Your guiding criteria should make sense to the audience you’re reporting to. 2.1.2 Determine asset groups by type of environment Test your production, staging, and development environments, then compare vulnerability data of each environment. Do you see identical data or not? Differences may be indicative of governance issues. Grouping assets by the type of environment may be beneficial to prioritization. 2.1.3 Determine asset groups by type of system What OS bears the most of high severity vulnerabilities? Where are the problems concentrated? If an organization is a Windows shop, and the scan results indicate critical vulnerabilities on Apache servers, that would mean incompliance or lack of change management. 2.1.4 Determine groups by CVE numbering authority or underlying technology Understand what vulnerabilities are unacceptable for your organization to have. For example, group CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, and CVE-2017-0148 into “EternalBlue/Petya” vulnerability group and track it. 2.1.5 Determine groups by type of vulnerability Apply OWASP Top 10 Web Application Security Risk. Network vulnerability types could be categorized but not limited: - Remote code execution - Weak cipher vulnerabilities - Obsolete/outdated software vulnerabilities - Information disclosure vulnerabilities - Privilege escalation - Default credentials OWASP Vulnerability Management Guide (OVMG) - June 1, 2020 9 - Memory allocation/corruption End Goal: you should know your environment enough to come up with the categories for your organizational assets. 2.2 Metrics Yüklə 1,27 Mb. Dostları ilə paylaş:
|