The process of fixing vulnerabilities should yield security benefits beyond the immediate hardening of the affected application.
Implemented as part of continuous threat exposure management (CTEM), remediation can also generate insights that help to prevent the recurrence of similar vulnerabilities and optimise future security testing and vulnerability management. In this sense, the final ‘mobilisation’ phase of the CTEM cycle can be the engine of a positive feedback loop.
The 5 steps of CTEM
This is the third (but not final) part of a series on a CTEM model that Gartner predicted could lead to a two-thirds reduction in breaches, and its implementation via YesWeHack’s Attack Surface Management (ASM) solution.
In the first instalment we talked about systematically mapping your (probably) fast-growing external attack surface. This covered CTEM phases one and two: scoping digital assets, and automatically and continuously discovering related assets, services and technologies.
Part two addressed the prioritisation and validation of proliferating vulnerabilities. Our ASM platform automatically assigns priority scores based on severity, exploitability and asset criticality. These ‘findings’ are then manually confirmed/rejected as exploitable/non-exploitable within the environment.
Operationalising CTEM findings
The mobilisation phase then operationalises the information gathered so far:
- Real-time visibility of your full attack surface
- Knowledge of any CVEs currently affecting your environment
- Knowledge of any validated vulnerabilities discovered through your own testing
- The risk posed by each vulnerability within the context of your environment, as reflected by priority scores
This equips SecOps teams to deploy resources – teams, tools and processes – to the end of urgently fixing the highest-priority bugs, remediating the rest in a timely fashion and retesting fixes to ensure their effectiveness.
A unified, collaborative platform
Leveraging vulnerability reports from multiple sources is of course much easier if they are standardised and accessible from the same interface. This is what our platform delivers: a unified view of vulnerabilities generated from known issues (CVEs), Bug Bounty Programs, traditional pentests, Vulnerability Disclosure Policies (VDPs) and passive plus active scanning approaches.
All findings can be edited, shared, assigned and tracked in real time. These reports can be integrated with your existing bug-tracking tools through our connectors and open API.
Consolidating all vulnerabilities into a common interface facilitates essential collaboration between internal teams as well as with security researchers plus YesWeHack triagers and customer success managers.
For managed VDPs and Bug Bounty programs, triagers liaise with security researchers to clarify ambiguities and provide missing details – ensuring complete, actionable reports. Your teams can also engage with triagers, security researchers or pentesters directly from within the platform.
Bug Bounty hunters are incentivised to provide high-quality reports and prompt, helpful responses not just by the promise of financial rewards, but also to earn points that can unlock lucrative hacking opportunities.
Remediation decisions
The remediation timetable should be guided primarily by automated priority scores set in the prioritisation phase, which the user can manually adjust to reflect their risk appetite and operational context. This ensures the most dangerous vulnerabilities are addressed first.
With YesWeHack Bug Bounty Programs, remediation decisions can also be influenced by technical fixes and advice offered by Bug Bounty hunters – in terms of not just when but also how to remediate, as well as communicate patches to users and regulators.
Consider how practical constraints can, alongside priority scores, impact remediation timelines.
For instance, remediation can be delayed by unavailable personnel or a fix affecting third-party systems or potentially breaking functionality, especially if compensating controls offer effective mitigation in the meantime. Conversely, vulnerabilities can jump the queue if a fix is simple and obviously non-disruptive, if evidence of in-the-wild exploitation emerges or if compliance requirements demand it, among other scenarios.
Positive feedback loop
Remediation doesn’t just close issues – it can improve secure development practices.
With input from triagers and hunters, your teams can identify patterns and turn patches into developer training material, or integrate automated tests early into CI/CD pipelines to catch similar bugs sooner.
Vulnerability insights can also inform broader security activities like access control reviews, red teaming activities or tabletop exercises.
Optimising the CTEM process and vulnerability discovery obviously depends on having the ability to track and evaluate a variety of operational metrics.
A SecOps team might for instance finetune its security testing coverage by filtering and analysing vulnerable assets by category or the top five most vulnerable assets overall. In a bid to reduce time-to-fix, they might measure variables like average first-response, average resolution times by priority tiers, or the percentage of successful retests achieved.
Our ASM enables SecOps teams to track and act upon these outcomes via executive dashboards and key metrics that can be sorted/filtered, represented by charts and exported as part of executive reports.
The iterative nature of these CTEM activities thereby allows for adaptation to emerging threats and the maintenance of long-term resilience.
Strategised security testing and remediation
An incomplete view of your attack surface, ‘point in time’ pentests and a fragmented testing regime are no longer tenable for today’s threat landscape.
By offering a unified, comprehensive and risk-based approach to attack surface management, security testing and vulnerability management, YesWeHack’s solution can therefore serve as the missing link in your offensive security strategy.
In service of this strategy, our ASM offers continuous visibility of your true digital footprint and exposure to known and newly discovered vulnerabilities; automated prioritisation of vulnerabilities based on severity, exploitability and asset criticality; and strategised security testing and remediation to tackle the most critical vulnerabilities at scale.
The next and final instalment in our CTEM series will explore the synergy between Bug Bounty Programs and CTEM.
Schedule a demo with YesWeHack today and discover how a risk-based approach can transform your organisation's security strategy.