Application Vulnerability Management

Introduction

Classifying Vulnerabilities

There are four main types of vulnerabilities:

  • Network vulnerabilities: Weaknesses in hardware, software, or operational processes that allow network access to unauthorized users.
  • Operating system vulnerabilities: Weaknesses that originate from software mistakes, AKA bugs, in an operating system (OS) that cause an unintended action to be performed on a device.
  • Application vulnerabilities: Weaknesses that originate from software mistakes in an application that cause an unintended action to be performed.
  • Configuration vulnerabilities: Weaknesses that originate from incomplete or improper setup of hardware or software. Application vulnerabilities are the most common type of vulnerability.

OWASP

OWASP stands for the Open Web Application Security Project®. It is an invaluable resource for maintaining web application security. They have a multitude of projects, tools, resources, training, and community members to research web application security.

OWASP produces the OWASP Top Ten, a list of the top ten most common web application security risks. For more information about those risks, visit the site to view the weaknesses and vulnerabilities that map to the top ten risks. One of OWASP’s other projects is the Web Security Testing Guide. It can be used by security professionals and application developers to test applications with an array of tools.

The Common Vulnerability Scoring System and National Vulnerability Database

The Common Vulnerability Scoring System (CVSS) is a commonly-used industry standard for ranking common vulnerabilities and exposures. The CVSS is often used in conjunction with the National Vulnerability Database (NVD), which lists each of these vulnerabilities and its CVSS score and assigns it a severity rating. The NVD centralizes vulnerability information from all around the information community.

CVSS Score Severity Rating Description
0.0 None The vulnerability is not really a vulnerability, but gives away some information that may or may not be useful to potential attackers.
0.1-3.9 Low The vulnerability is unlikely and/or difficult to exploit.
4.0-6.9 Medium The vulnerability is not incredibly likely to be exploited, is somewhat difficult to exploit, and/or requires special circumstances to exploit.
7.0-8.9 High The vulnerability enables local or unauthenticated remote users to bypass restrictions, view sensitive information, and/or disrupt, damage, or disable a system or device.
9.0-10.0 Critical The vulnerability could be easily exploited by an unauthenticated remote attacker and lead to compromise.

Requesting a Scan

Upon requesting a scan, the IT Security Office will reach out to schedule a time to scan the applicable devices and establish the scope of the scan. Once the scan is done, the IT Security Office will prepare a report of any and all major security issues and the full scan results. If any security issues were found, the affected devices and applications should be quarantined until all issues are resolved.

Discovered vulnerabilities should be resolved within a certain amount of time depending on its severity.

Vulnerability Severity Recommended Time to Resolve
None N/A
Low 30 days
Medium 14 days
High 7 days
Critical 7 days

Procedures

Requesting a Web Application Scan

  1. Login to 4Help.
  2. Navigate to the Vulnerability and Web Application Scanning knowledge base (KB) article.
  3. Click Request this service and fill out the request form.

Request a Security Review

Virginia Tech departments may request a security review of a commercial or homegrown application. The Virginia Tech IT Security Office (ITSO) is responsible for conducting security reviews, which can be requested through 4Help or by emailing ITSO at itso@vt.edu.

  1. Login to 4Help.
  2. Navigate to the Application Reviews knowledge base (KB) article.
  3. Click Request this service and fill out the request form.

Reporting an Incident

If you believe a server, application, or account has been hacked, you may report the incident in 4Help.

When in doubt, report it.

  1. Login to 4Help.

  2. Navigate to the Have I been hacked? KB article.

  3. Follow the General Incident Guidelines.

    A. Keep the system powered on.

    B. Unplug any network cables and disable wireless. This disconnects it from the internet while preserving evidence.

    C. If you’ve been locked out of your Virginia Tech account, contact 4Help to restore access.

    D. Only tell people who need to know about the issue in order to maintain confidentiality.

  4. Click Request this service.

  5. Fill out the reporting form and click Submit.

Resources

OWASP Top Ten

Web Security Testing Guide

4Help: Vulnerability and Web Application Scanning

4Help: Application Reviews

4Help: Have I been hacked?

VT Security: Web Application Scanning