Owasp vulnerability Management Guide (ovmg) June 1, 2020
Yüklə 1,27 Mb. Pdf görüntüsü
|
|
2.4 TASK INPUT OUTPUT Create Reports 1.1 Scope 1.3 Run Tests 1.4 Confirm Findings 2.1 Assets Groups 2.2 Metrics 2.3 Audit Trail 3.2 Remediation 3.3 Investigate FP 1.1 Scope 3.1 Prioritize 3.2 Remediation 3.3 Investigate FP 3.4 Exception # TO-DO WHY 2.4.1 Maintain a consistent frequency of reporting and use it to track changes Consistent equals reliable. This step is vital to becoming a transparent and dependable source of information for the audience of vulnerability reports. 2.4.2 Aggregate and process collected data Pull the original data without altering it and apply metrics that are useful to the audience. Be sure to document your process along the way to avoid accidental errors. Cross-reference data in a way that you could compare the results to make sure that they are correct. OWASP Vulnerability Management Guide (OVMG) - June 1, 2020 12 2.4.3 Using CVSS, apply unique environmental traits to your vulnerability analysis Although the CVSS score would be your common denominator, it is plausible that a lower risk score may be higher in your environment due to the exposure factor or aging vulnerability traits. 2.4.4 State vulnerability trends What is different from the last month, week, quarter, year: is it better, is it worse, no change? 2.4.5 Hypothesize about these trends in one sentence If we see a downward trend due to scanner failure, we want to state it in the report. If we see an upward trend because no remediation work has been done, it is the right place to communicate this. 2.4.6 In one paragraph, add your recommendations Give practical advice on how to turn a high-risk environment into one of lesser risk by eliminating the “fill-in-the-blanks” vulnerabilities in the “fill-in-the-blanks” assets (subnets/systems/applications). Note: Delivery matters - we want to be as concise, pragmatic, and mission-oriented as possible. 2.4.7 Apply data sensitivity classification to your report Consider what competitors or adversaries would pay for this information. Mark it as “confidential” at the minimum, reiterate a sensitivity mark on each page. 2.4.8 Make a shorter version (1-2 pages) of your report This is where we sacrifice granularity to paint the broader picture: what do these vulnerabilities mean to the enterprise vulnerability spread and where are the problems concentrated. Make it more illustrative than verbose. Avoid using technical jargon or CVE numbers: “EternalBlue” could sound more familiar than CVE-2017-0143. 2.4.9 Submit both versions of the report to your manager/CISO Use both electronic and verbal communication. You might want to store your reports on a shared encrypted drive and submit only a URL to the report. 2.4.10 Create and maintain your own vulnerability management repository for internal or external audit Make sure to adhere to the auditability requirement. Make a secure storage location for the collected data and final reports. Be sure to document your process along the way to avoid accidental errors. 2.4.11 Be able to explain the details of vulnerability detection and the reporting process Be transparent with your management and colleagues about data collection and data processing. Transparency plus consistency benefits your credibility. End Goal: summarize security scanning results in a concise form that would be easy to understand. Share your reports with all who need to know. Keep vulnerability reports consistent in format and delivery. Yüklə 1,27 Mb. Dostları ilə paylaş:
|