The amount of information and data generated during the development process, or even when testing your systems is extremely important for good management performance. The lack or difficulty on finding information is, without a doubt, a point that takes as much for the vulnerability management process as for other secure development processes, a very big burden.
It is not rare to find in companies that still perform information management, documentation of test results and plans for corrections through spreadsheets.
This is not information management.
Why take a chance on a centralized platform?
The lack of a single space to centralize the information needed for effective management of the secure development process is one of the most recurrent complaints among managers.
As we have said, it is not uncommon to find companies where the entire management process is based on the exchange of spreadsheets with information that needs to be updated by several people.
This process takes into the secure development management a weakness of data that can compromise both the effectiveness of the process and leave critical situations without solution.
It is also not difficult to find situations where the managers and operators of the process do not have confidence in the veracity of the information in the spreadsheets. This is not linked to deliberate changes, but to the lack of control over the information, which can bring about the loss of data integrity.
Even if everything goes well and it is possible to say that the information that can be kept in the spreadsheets is correct, we still have a big problem with this control model.
When we work in this way, we lose the ability to analyze data and extract precious information from it, so that we can improve and evolve our development model.
Information analyzed from data generated by its history is very important to provide the possibility of a refinement of a strategy, or even to help in the planning of a training if the continuous presence of a type of vulnerability in the codes is observed.
In a simple spreadsheet it is not possible, for example, to demonstrate the level of security or even the risk profile assumed by a company, simple things to show in a centralized platform of information.
Lack of control or even ignorance of information has its cost, and this can clearly affect the security of your codes.
What are some possible threats
When using an unstructured way to manage vulnerabilities, some impacts are expected.
The spreadsheets, when used, can even help in the control of some information, but as already mentioned, brings a series of problems that generate the lack of control and or the loss of important information for the management of vulnerabilities.
By using a solution that is not designed for the management of vulnerabilities we can run the risk of not being able to see a pattern of vulnerabilities always present in our code, and this lack of vision can delay the opportunity to improve a process.
If you cannot perceive vulnerabilities or recurring situations, you may fail to understand, for example, that your team needs to invest more time in improvement, or even training.
This knowledge gap, which could be identified by a greater control over the test results and observing the vulnerabilities found over time, could be the root problem of a series of vulnerabilities present in the code.
The manager, by not being able to identify these gaps, may miss the opportunity to, by improving the team’s knowledge, reduce the amount of vulnerabilities and, consequently, the time spent on reworking patches.
The simple fact of having more control over the visualization of the data can bring to the process economy of resources.
Information access control
Another problem we identify in the use of spreadsheets as the basis of a management process is that in many companies there is a very large contact and exchange of activities between internal employees and third parties.
The use of third parties in the development process is common and brings benefits in many cases.
However, in some cases there is information that you do not want to share with others outside your team, and this forces the separation of information that may or may not be visualized by certain teams, generating another point of failure to be controlled.
When the platform is built to manage the process, this concern is already solved, because there must be access control to the information.
The possibility of controlling access allows the manager greater control over the teams and how they can and should work with the information they have.
When there is spreadsheet-based management, the possibility of a high impact or critical vulnerability being left to fix after or even if lost in the process is great.
These lapses in information can bring unnecessary risks to the company that could have been avoided by the correct use of a vulnerability management platform.
Even if the result is placed as done, how is it possible to audit the process?
If you use spreadsheets as a control basis, the process of auditing the correction activities is very limited and even hindered by the lack of structure for it.
If your company needs to prove for an audit process an action, the presentation of spreadsheets is not the best solution.
With platforms created for this purpose, records are kept correctly as well as there is the possibility to demonstrate a historical action of the process.
The lack of the possibility of creating a reliable historical statement in auditing processes makes the process more time consuming and much more rigid, because the auditor needs more data and information to demonstrate that the actions present in the spreadsheets were not performed in periods that were not informed.
CHECK ALSO: The use of Playbooks in Vulnerability management
The key? a proper management process by using an AppSec Tool
AppSec Flow is our Continuous Application Security platform and is structured to fully support the secure development process.
When it comes to vulnerability management only, AppSec Flow is fully designed to allow managers and their teams full control over their analysis information, data, access, history and statistics.
Besides allowing the whole process to be managed and audited in a much more practical way, AppSec Flow allows an analysis of the company’s code security scenario, which gives a centralized management view with much more control.
Within AppSec Flow, it is possible to maintain contact between everyone involved in the vulnerability correction process. The centralized communication helps and facilitates the understanding and learning of everyone in the team because everything is kept recorded and stored.
Another important factor is that AppSec Flow, by keeping all the records, history and data about a patch, also keeps the knowledge inside the company, because the whole patch process is registered.
When we built AppSec Flow, one thing was clear: we wanted to deliver a platform that was a centralized data solution.
With our DevSecOps tool, we ended up with the need to send out unstructured reports or even reports made without a context care. For us, AppSec Flow itself is a great report with its dashboard and its various information.
However, if you need to send a report, you can still extract from AppSec Flow a structured report, created based on templates made by an experienced team of analysts.
The fact that our reports are generated from a base of templates eliminates a number of problems such as the same vulnerability being reported on and described in different ways by different analysts.
This simple fact saves time and resource, because the analyst will only need to identify the template of the identified vulnerability, place its evidence and that’s it: the report will be finished.
Speaking of which, waiting for an analysis report is different in AppSec Flow. While in an analysis process without a specialized platform the report would only be available at the end of the analysis, in AppSec Flow this does not happen.
Because it is an SaaS platform, the moment the analyst identifies and registers the vulnerability in AppSec Flow, everyone involved in the process of this analysis will be notified.
This speeds up the correction process a lot, because there is no need to wait for the analysis to close before starting the correction plans.
This time can be crucial.
Using our DevSecOps platform can give the manager and his team the control they need to manage the vulnerability management process in the best possible way.
Proper management of vulnerability remediation process can be the key between secure and unsecured software.