Core Security Effort Aims to Improve Firms' Handling of Software Flaws
Companies too often focus on fixing the wrong software vulnerabilities, leaving themselves open to attack, a security expert says. Core Security is releasing at Black Hat a model to help companies properly patch flaws.LAS VEGAS—When security teams patch software vulnerabilities in their systems, they too often focus on the wrong issues, patching the holes that are easiest to fix rather than fixing the flaws that are most likely to be the focus of attackers. To help companies improve their handling of software flaws, vulnerability management firm Core Security will release, at the Black Hat security conference here this week, a model for companies to analyze their ability to properly patch software insecurities and a roadmap to improve their response. The model can be used by information security professionals to avoid data overload and better prioritize their vulnerability remediation efforts based on which flaws most threaten their business, Eric Cowperthwaite, vice president of advanced strategy at Core Security, told eWEEK. "If you are a typical CISO [chief information security officer] and you have five or six staff, do you focus broadly on your entire security surface, or do you focus on what is important?" he said, adding that companies that take a more mature approach to software patching will be more secure. "By approaching the problem this way, there will be less vulnerabilities available for the bad guys to use." Core Security's vulnerability management maturity model classifies a company's response into one of six levels, from firms with nonexistent programs to those organizations capable of managing an attack. The third level, for example, is where IT security professionals are meeting compliance obligations, beginning to work with IT operations and tracking metrics, but perhaps not the right ones.
The document, which Cowperthwaite has been developing using his experience as a former CISO for a large health care provider, also offers guidance for improving a company's vulnerability management processes. Companies that want to move beyond compliance, for example, should focus on meaningful metrics, create formal processes and use penetration testing to support their vulnerability management program.