creating a vulnerability management program

3/11/2012

1

“When out of ammo, Reload”

Creating a

Vulnerability Management

Program

Ahmed Husain

Managing Director

Company overview

◦ Security Assessments

◦Compliance and Audits

◦ IT Projects Management

◦Cloud Security Services

◦Telecom Consultancy

3/11/2012

2

Agenda

Vulnerability Management Lifecycle

Risk Assessment Policies & Procedures

PT vs. VA

Names in the Market

3/11/2012

3

1. Discover • Automated process for accurate discovery of all hosts on

the network

• Enables to deliver a centralized repository of asset

inventory

Mapping report sample

3/11/2012

4

2. Asset Prioritisation

• Manage networks by categorising assets into groups or

business units

• Assign a business value to asset groups based on the

criticality of the assets to your business operation

3/11/2012

5

3/11/2012

6

3. Assessment & Analysis

• Accurately identify security vulnerabilities via a sufficient

knowledgebase of vulnerability checks (over 7000+ unique)

• Inference-based scan engine to improve accuracy and

scanning efficiency

• Proactively identify known issues before they can be

exploited. Perform a deep analysis and thorough OS,

application and security configuration vulnerability

assessments.

3/11/2012

7

is an Internet security audit, performed by experienced security

professionals. A key feature of the service, and one which cannot be

covered by relying solely on automated testing, is application testing.

•Typical Issues Discovered in an

Application Test

•Cross-site scripting

•SQL injection

•Server misconfigurations

•Form/hidden field

manipulation

•Command injection

•Cookie poisoning

•Well-known platform

vulnerabilities

•Insecure use of cryptography

•Back doors and debug options

•Errors triggering sensitive

information leak

•Broken ACLs/Weak passwords

•Weak session management

•Buffer overflows

3/11/2012

8

4. Report

• Template-based reporting to enable

technical and executive level analysis

• Enable trend analysis of overall security

and compliance posture

Types of Reports: Executive, Technical, Patch,

Differential

3/11/2012

9

Reports sample

3/11/2012

10

3/11/2012

11

5. Remediation Workflow

• Prioritise and remediate vulnerabilities

according to business risk

• deploy patches to an entire network.

3/11/2012

12

6. Verification

• Verify the elimination of threats through follow-up

audits

• Establish appropriate security policies, processes and

standards that support regulatory and organisational

compliance

3/11/2012

13

Simplify the process of

maintaining a secure

environment by continuously

monitoring, detecting and

remediating policy-driven

environments across all major

platforms and applications.

Risk Assessment

Number of External Tests per year

Number of Internal Tests per year

Web Application Tests

Vendor Alternate Practices

Risk Treatment

Patch Management and Upgrades

Deployment of technologies and solutions to fix the gap

Implement Controls

3/11/2012

14

3/11/2012

15

3/11/2012

16