Monday, May 28, 2007

Vulnerability Management for Custom Software

Writing last night's post about security evolution got me thinking a bit about vulnerability management and how best to handle it for custom written software.

In general vulnerability management you can get a lot of traction using a network-based scanner along with local scanning using user credentials. This technique which is not prevalent in most mainstream scanners gives you decent coverage for standard software, configuration settings, etc. It can even give you the heads-up on a vulnerability in a version of a library you're using, especially when you easily report the version via banners and/or via standard library locations on a filesystem.

Managing vulnerabilities gets substantially trickier though when you move to homegrown software. Keeping a proper inventory of every library, toolkit, configuration setting, algorithm, etc. you use and then being able to watch for vulnerabilities in them is quite tricky. Network vulnerability scanners like Qualys or nCircle will do a pretty good job banner grabbing, detecting versions on certain toolkits, connections, etc. What they can't tell you though is that you're using a buggy version on libz or libxml inside one of your own applications.

How do you handle situations like these?

In general I resort to managing an inventory of tools I have in use at any given time and using vulnerability alerting services to tell me about new vulnerabilities in those toolkits.

I imagine there has to be a better way to do this. I'd really like to be able to list the toolkits I have in some more generic format that vulnerability alerting services and/or vulnerability scanners are capable of understanding and telling me about vulnerabilities I may have. Rather than going through screen after screen of tools in my vulnerability alert service to configure my alerts, I'd like to be able to publish a list of software/tools in use to them (including versions) and then have them alert me when they know one of my components has a potential security flaw.

Sure, I'll still have to validate the vulnerability announcement. I'll still have to see whether my implementation, technique, etc. is vulnerable to the specific exploit, but at least I'd get a trimmed down list of things to worry about without going nuts.

Anyone ever seen a service for doing this or considered creating a module for any of the standard vulnerability scanners? I think it would be a valuable service and would save me and others a lot of time.

No comments: