Vulnerability Management is one of the least sexy areas of information security. For all the improvements in automated patch deployment from vendors the likes of Microsoft and Adobe, my organization still has far more vulnerabilities than we can ever hope to patch. More to the point, we have more vulnerabilities in our environment than we ever should patch. Achieving a zero vulnerability state could only be accomplished through crippling amounts of bureaucracy and overhead that would halt not just innovation but basic operations. But where does that balance lie? How do we prioritize our limited resources and ensure we are addressing those issues which are mostly likely to result in a negative event?
For over a year my team has been partnering with our IT organization to deliver actionable intelligence on our vulnerabilities. Our goal has been to provide context beyond the sea of vulnerability data. By providing critical assets and business processes exist. I’ve written on our efforts to digest raw vulnerability data into something more actionable in the past. Today I am releasing the latest tool in this effort, VulnPryer.
VulnPryer is a collection of python utilities that takes a third-party vulnerability intelligence feed, extracts a feature table, and uses that to assign custom vulnerability severity ratings. Also now available is Chef-VulnPryer. This Chef cookbook provides for the dependency installation, user set up, and can schedule both periodic and immediate updates of your vulnerability intelligence feeds.
In future posts I’ll outline the mechanisms currently implemented in VulnPryer. This is an area of active development, so watch the repos and this blog for future updates!