Any weakness within a system has the potential to be exploited by threats, leading to loss or compromise of data, or service disruption. When delivering a service, you need to determine how vulnerabilities will be identified, mitigated and remedied.
Vulnerabilities can occur as a result of security control flaws, unsecure features or user error. Attackers may look to exploit any or all of these. The longer they exist, the more susceptible a system becomes to being attacked. Managing vulnerabilities involves taking appropriate actions to reduce the risk of exploitation.
This is a complementary activity to performing a security risk assessment and threat modelling which should be conducted prior to discovering vulnerabilities.
A clear process that governs how you manage and respond to vulnerabilities will allow you to:
Vulnerability management should be a process embedded throughout the project lifecycle. Potential vulnerabilities should be addressed during the design phase and vulnerability management procedures should be included during development and deployment. Ongoing vulnerability testing and response management should continue as the service evolves.
Completing this activity will help you to achieve the outcomes included in the Secure by Design principles to build in detect and respond security and embed continuous assurance.
Your vulnerability management process should be devised by your project’s DevOps team with direction from security and technical architects.
Plans should be discussed with your Senior Responsible Officer (SRO) and service owner so they can agree that the proposed actions related to vulnerabilities are appropriate and proportionate. Close collaboration should also happen with development teams so they are aware of expectations when it comes to resolving vulnerabilities.
Before developing your own plan for managing vulnerabilities, discuss with security professionals within your organisation to see what existing processes are in place that can be used or adapted for your needs.
If your organisation doesn’t have any existing vulnerability management processes available to you, this should be raised with your Chief Digital Information Officer (CDIO) and Chief Information Security Officer (CISO) as a fundamental organisational risk.
You should develop an approach reflecting your organisational structure that outlines how vulnerabilities will be identified, assessed, prioritised and remedied.
As this action is proactive, you will be unaware of the exact vulnerabilities you are preparing for. However, it’s still possible to categorise the types of vulnerabilities you may encounter and design appropriate procedures to guide you when they do occur.
For example, you will know which roles within your security and development teams are responsible for conducting the various methods used to discover vulnerabilities. Documenting these procedures should include how frequently they’re required to perform scans, and what steps are required when vulnerabilities are identified.
Different vulnerabilities may require different actions. For example, a minor issue could be reported, logged and resolved within the delivery team, whereas a more serious issue may require escalation to senior management who will need to be consulted on the appropriate next steps.
Standard approaches for addressing vulnerabilities should also be included within your procedures so a consistent process can be taken across the service. Depending on the type of vulnerability this may include applying patches or updates, implementing compensating controls to mitigate the vulnerability, reviewing and fixing the code, or developing a workaround. Each approach should have an associated time and resource estimate that can be referred to by project planning teams when action is required.
For vulnerabilities that are unknown, create a set of emergency procedures that can be followed including the people and resources you may need to be made available, the data you may need to back up, and the processes involved in shutting down or containing systems.
Create a mechanism for recording and tracking the progress of vulnerabilities as they are discovered and addressed. This will provide stakeholders and delivery teams with a clear view of all current and resolved vulnerabilities related to a service.
A vulnerability register should include:
The vulnerability register should be a living document that is updated whenever a new vulnerability is identified, or there is a change in the status of an open vulnerability.
The tasks (such as installing patches or fixing code) that are generated as a result of a vulnerability being added to the register should be assessed, prioritised and assigned during project planning meetings. Prioritising vulnerabilities will allow you to focus efforts on the most critical vulnerabilities, using the risk impact as a guide for what should be remedied first.
As these tasks are completed and the necessary testing has been carried out to confirm a successful resolution, the register can be updated with the latest information.
It’s important to let people across your organisation know how vulnerabilities are being managed. Effective communication and collaboration with the relevant stakeholders will contribute to the success of your vulnerability management program.
There are five key stages for communication to happen.
This should be distributed and explained to everyone in the delivery team and wider organisation) who plays a potential role in vulnerability management. This should also take pace when there are significant updates to procedures.
The results of scan reports and assessments should be shared with delivery managers, development teams and system administrators so they can be aware of what’s being reviewed and what actions may be required.
Your procedures will determine who needs to be informed based on the severity of the vulnerability. This may include the suppliers of external systems who can help coordinate mitigation efforts based on contractual agreements.
Your risk register will provide a useful guide to project management teams involved in decision making, as well as those actively involved in resolving issues such as developers and network or system administrators.
To reduce the likelihood of a vulnerability recurring, share information on how it was identified and resolved with the appropriate teams
It’s also important to educate users and employees about the importance of vulnerability management and how they can contribute to service security. Use appropriate communication channels to share relevant information and regarding vulnerabilities and their potential impact to raise awareness and promote good security practices.
Once you have a process for managing and responding to vulnerabilities, you can focus on discovering vulnerabilities.
This activity is part of the ‘Anticipate and respond to vulnerabilities’ stage of Secure by Design, which also includes:
Read the Secure by Design activities
The Secure by Design approach will evolve to reflect the needs of government digital services. Your feedback will help us to improve it.
Last update: 31 January 2024
OFFICIAL