Know your Security Vulnerabilities, Perform Assessments and Remediate them, through Vulnerability Management

2021-05-01  |  11 min read 

What is the current Product Security Landscape?

In this ever changing hyperconnected world, we face security risks like product hacking, identity theft, and cyberattacks.

Technological advances such as Industrial Internet of Things (IIoT), cloud applications, artificial intelligence, and advanced robotics have opened new and more sophisticated attack surfaces that make the world a far riskier place.

A considerable portion of cyberattacks target simple, known but unmitigated security vulnerabilities.  That is why thorough vulnerability management is vital in today’s organizations. Products with hidden security vulnerabilities deployed in an organization can be used as the vehicle of attacks on other devices within the same network. Through the practice of vulnerability management, product manufactures can detect and remediate the risks of those known vulnerabilities.

What is Vulnerability Management?

Vulnerability Management is like performing a health check-up. In a health check-up, the doctor performs a scan on our body, finding & assessing detected illnesses, evaluating & prioritizing the risks, remediating or mitigating them by treating them, and even administering vaccinations to prevent common illnesses before they occur. 

One key role of product security is to perform vulnerability management, that is, the practice of identifying, evaluating, classifying, prioritizing, remediating or mitigating the uncovered security vulnerabilities in our products; not only after shipment but throughout the entire product development life cycle.

Depending on the type of product, vulnerabilities exist in various forms and expose different attack surfaces. These vulnerabilities can be uncovered in various ways with vulnerability scanners widely used in the industry. For example, for connected devices or PC based products, network-based vulnerability scanners can help discover exploitable vulnerabilities. For products which are either web-based or come as a device with a built-in web application, WebApp vulnerability scanners are very helpful in uncovering the vulnerabilities that are related to the web application. While for products that use open-source software, employing a composition analysis tool can be very helpful as it analyzes the target software in search of known security vulnerabilities found in the open-source software. For cloud and container-based products, container-based vulnerability scanners will be very effective in uncovering vulnerabilities that are only present in that type of product.

Common security vulnerabilities that are uncovered may include unused open ports, outdated software used, insecure system configurations and software weaknesses that are susceptible to malware infections. Most of the vulnerability scanner vendors identify the vulnerability by referencing public sources, such as the National Vulnerability Database (NVD) hosted by the National Institute of Standards and Technology (NIST), or subscribing to a commercially available vulnerability database.

There are many ways of correcting the security vulnerabilities.  For some of the common vulnerabilities listed above, the remediation may involve patching the operating systems or application software, making a change in network security policy, or reconfiguration of the software or even the overall system. In some cases, correcting the vulnerabilities may not be enough.  Additional steps to generate user security awareness regarding the correct usage of the product to protect it against possible malware will go a long way to improve their security posture.

Vulnerability Management @ Keysight

In Keysight, a web-based, in-house Vulnerability Management Framework tool was designed and developed to aid product developers in performing vulnerability assessments of Keysight developed products. The main role of this tool is to help product development teams identify, track, and mitigate known security vulnerabilities that may exist in their product, and to allow them to audit and document the resulting security posture.  This ensures that the product meets its security requirements before being released. Use of this tool is a required step within Keysight’s product development life-cycle process. This tool is integrated with product engineering’s commonly used internal bug tracking tool. This in-turn helps close the DevSecOps gap for the R&D community, allowing them to uncover and fix security vulnerabilities as early as possible in the product development lifecycle.

The tool essentially acts as a black box vulnerability assessment tool on a target device, typically through the network via communication ports. The tool helps uncover security vulnerabilities, typically related to the operating system, vulnerable services, vulnerable web applications and ports (such as debug backdoors) as well as the installed software applications. This tool currently integrates several commercially available scanning engines that cover system and network level vulnerability assessments, network penetration, port scanning and WebApp vulnerability assessments and also includes Keysights’ in-house developed penetration testing product. The tool is actively supported and improved, to target new vulnerabilities, and hence new attack surfaces, especially when a new design pattern evolves which introduces new vulnerabilities.

Vulnerability Management is part of a Product Security Framework that covers 6 Key Pillars of Security aspects to ensures the efficiency and effectiveness of the product security program. This Vulnerability Management framework is similar in concept to the NIST Risk Management Framework.

Pillar 1: Vulnerability Management Governance

  1. The VMT Security framework was designed and developed to act as a single platform to help manage and govern the security vulnerabilities uncovered from Keysight products.
  2. Keysight has a company-wide security policy to govern the remediation of uncovered vulnerabilities based on Mitigation Priority.
  3. Each product development team is required to generate a product security development plan to document how they will meet the required security framework elements for their project.
  4. Each project in VMT required to have a project owner to ensure clear accountability if any issue and/or risk arises.

Pillar 2: Operation

  1. The VMT tool includes multiple vulnerability scanning engines that allow scanning for system and network level vulnerabilities, port scanning and WebApp vulnerability assessment.
  2. Development teams are able to perform assessments of the uncovered vulnerabilities directly in the VMT tool.  Assessment information provided is based on industry standard security scoring as well as an internally defined Mitigation Priority and Mitigation Recommendations.
  3. Project teams are able to share vulnerability data across their organization to improve overall vulnerability management.

Pillar 3: Remediation

  1. Vulnerability Advisories are provided by Keysight’s central Product Security team through the VMT tool.  These advisories give development teams additional information about the vulnerability including methods to mitigate them.
  2. The VMT tool helps teams manage the vulnerability risk and mitigation by integrating with Keysight’s widely used DevOps issue tracking system, helping close the loop for R&D’s remediation processes.
  3. This in turn helps the R&D team deal with their patch or change management process using their specific DevOps process and helps ensure successful remediation.

Pillar 4: Response Planning

  1. The VMT includes processes defining how the product development team should plan and prioritize their vulnerability management approach to minimize security risk.  It also allows R&D to more effectively assist the customer support team in communicating vulnerability information to the end customer.
  2. This tool also provides a communication channel to the central product security team to make requests for additional security information or new vulnerability management capabilities.

Pillar 5: Vulnerability Management Operation Success

  1. The VMT tool provides Keysight businesses with an overall vulnerability overview for their organizations. This provides management oversight and helps drive strategic policy implementations and improvements within Keysight.
  2. Through continuous use and extensive record keeping, the VMT helps product organizations stay vigilant and find ways to continuously make product security improvements.
  3. A dedicated sub-element of VMT is the Vulnerability Support HUB (VSH).  Targeted to be used by Keysight Customer Support teams, the VSH allows support engineers to search for information and provide advisories to end customers when they enquire about vulnerabilities designated by CVEs (Common Vulnerabilities Enumeration) that may be present in the products they own. The VSH extracts the shipped product's vulnerability information from the VMT databases and organizes the information for use by Keysight’s Support Organization.

Pillar 6: Vulnerability Management Evaluation

  1. The VMT tool helps give Keysight the visibility needed for security management success.  This visibility allows project teams to effectively evaluate the impact of, and then mitigate detected vulnerabilities, ensuring the products shipped by Keysight have a minimal number of exploitable security vulnerabilities.

The methodology is designed to complement Keysight’s product life cycle processes and provide guidance to facilitate cybersecurity risk management. To effectively address the dynamic nature of cybersecurity risks, these pillars act in a similar way to the core functions of the risk management process namely:  identify, protect, detect, respond and recover, and must be performed concurrently and continuously, as advocated in the National Institute of Standards and Technology (NIST) Cybersecurity framework.

To learn more about Keysight’s VMT process, kindly reach out to us through our contact channels.