Prioritization: Which Issues To Address First?

Surprisingly, only 50% of companies surveyed by The Ponemon Institute conduct security assessments of their products before releasing them, despite 59% acknowledging that security concerns have cost them sales.

The challenge appears to be in selecting which vulnerabilities and threats to address first after they've been identified. 

Effective prioritization is a must for product security teams, but it's a task that is inherently difficult. We discussed this difficulty on our podcast, "IoT: The Internet of Threats," where we spoke with Josh Corman, a prominent figure in cybersecurity.

That conversation highlighted the importance of positioning security teams for success and efficiently managing threat priorities to enhance cybersecurity in an increasingly interconnected world.

Increasing Connectivity, Increasing Risk

The importance of proper prioritization becomes even more evident when dealing with the security of critical infrastructure, medical devices, or vehicles connected to the internet. When you're securing these devices, reaching the point where you're ready to begin prioritizing, you may find yourself confronted with a multitude of potential vulnerabilities and threats. The question then becomes how to identify and focus on the most critical issues.

A key strategy is to start by establishing a baseline. This initial snapshot helps in measuring progress and guiding future security improvements. Utilizing a scoring system that quantifies risk and improvement potential can simplify this process, allowing for more strategic prioritization based on quantitative data.

A Comprehensive Approach to Prioritization at Finite State

At Finite State, we understand the criticality of prioritization in ensuring product security. Our method is deeply rooted in a risk model framework, distinguishing us in a field where various scoring systems, such as CVSS for CVEs and CWSS for CWEs, abound alongside proprietary metrics from different Application Security (AppSec) vendors.

Our approach encompasses several key dimensions we consider essential for effective prioritization.

Confidence in Findings

The first dimension evaluates the reliability of the findings. Tools used at different stages of the development lifecycle yield varying levels of confidence. For instance, a basic binary analysis tool might produce numerous false positives due to its rudimentary assessment criteria, leading to lower confidence in its findings. Conversely, a vulnerability confirmed through manual penetration testing, complete with a developed and verified exploit, would be regarded with significantly higher confidence. This spectrum of confidence affects how we perceive and prioritize security findings.

Vulnerability Severity

Another crucial dimension is the severity of the vulnerability itself. Not all vulnerabilities pose the same level of threat. Factors such as exploitability, network exposure, and the potential impact (e.g., localized denial of service vs. facilitating remote access) play pivotal roles in assessing severity. While we incorporate scoring systems like CVSS and CWSS, we go beyond them to consider the nuanced aspects of each vulnerability.

Threat Likelihood

The probability that a threat actor will exploit a given vulnerability adds another layer to our risk model. Publicly known vulnerabilities, for instance, are more likely to be targeted due to their visibility to botnets and active threat groups. The existence of exploit code available online further elevates the risk. Hence, understanding the threat landscape and the specific vulnerabilities being exploited within it is vital for accurate prioritization.

How should you approach and prioritize your software supply chain security findings? Check out this short video from our CEO, Matt Wyckhouse where he says that your next steps should consider your confidence in the finding, the severity of the vulnerability, and the threat context:

Prioritizing security vulnerabilities at Finite State involves a holistic analysis that integrates confidence in findings, the inherent severity of vulnerabilities, and the contextual threat landscape. Such a comprehensive risk model allows us to identify and prioritize the vulnerabilities that pose the most significant risk to our clients, ensuring that security efforts are directed where they are most needed. This approach underscores our commitment to not just identify vulnerabilities but to understand and mitigate the risks they present effectively.

When It Comes Time to Remediate

Moving into remediation involves choosing which issues to address. Two strategies our clients find useful are:

1. The Grouping Method: This approach involves updating software or firmware to fix a large number of vulnerabilities at once, focusing on components that, when fixed, offer the most significant security improvements.

2. The Seek and Secure Method: This method prioritizes fixing vulnerabilities that are most likely to be exploited or pose severe threats, targeting specific high-risk components.

These methods are not mutually exclusive; combining them can lead to a comprehensive plan that aligns with available resources and security objectives.

Ready to Learn More?

For a deeper dive into securing connected devices, check out our Ultimate Guide to Connected Device Security where we explore the significance of the prioritization stage in understanding and mitigating risks associated with vulnerabilities.

When you're embarking on the journey towards better product security, you need a comprehensive solution that not only highlights vulnerabilities but also assesses their exploitability within your network.

The Finite State Next Generation platform stands out by offering an intuitive scoring system that simplifies understanding and prioritizing risks, ensuring that you have the visibility and information you need to allocate your resources effectively and forge a clearer path to enhanced product security.