A few years ago, the Conviso team realized that it needed to find a way to organize activities carried out with clients. It was necessary to put the analyses made in projects in order to centralize all the information and support a structured process of vulnerability management.
So, in 2008 we created a first version of the product that is now called AppSec Flow. It was a platform focused on DevSecOps Pipeline, which has been evolving since then.
Recently, for the creation of one of our articles, we asked our clients what they used before using AppSec Flow. We realized, then, that the answers obtained were very similar to what our team had faced in the past. Check it out:
Client 1: “Before, we used a spreadsheet to manage vulnerabilities. However, with several teams, that information was always lost”.
Client 2: “Before AppSec Flow, we adopted an in-house developed platform, but it was difficult to make all developers follow the same pattern”.
I believe this is the beginning of the entire vulnerability management process. But we must keep in mind that it is necessary to improve, seek to make the process manageable and with positive results for the efficiency of the whole team.
Therefore, at a certain point we have reached a point where spreadsheets are no longer our safe harbor. On the contrary – they start to bring us information of integrity problems, loss or even completely wrong information. And this is much worse for a team whose mission is to correct vulnerabilities that can bring great harm to the company.
Problems to the manager
The fact that it does not have the necessary control, and the lack of a clear vision about everything happening within the vulnerability correction process is a problem that has led development and/or security managers to suffer from errors, failures and lost information.
This scenario can’t clearly be neglected in companies that have the objective of having security handled correctly in their development structure.
After some time, the manager starts to realize that the current format is not the right one and that it is bringing more problems than solutions.
Normally, these managers then start to search the market for tools built with the objective of organizing and improving the flow of activities that help correct the vulnerabilities found.
But we still have a problem: many of these tools are made and created to act in various scenarios and work models, which makes them generic. In this context, many times this makes the company end up adapting to the tool process.
However, even so, many times the manager understands that this is justifiable and starts to use the tool – even if it is not the most adequate, and does not bring the best results.
The problem only increases when it is necessary to integrate the results of other tools, results and reporting tools that will feed the vulnerability management process. The outcome? chaos.
Now we have several tools, all generating their information – and all of this centralized on a platform that was not thought of.
The central issue here is that we have adopted a posture of trying to integrate a number of tools that were not prepared to work together, and this ends up complicating much more than helping.
We also have to take into account the fact that the developer in most cases already has his work style, his ways of interacting and recording.
Sometimes managers also forget that the learning achieved during the correction process is as important as the correction itself. And this is hardly found in a tool that has not been thought to operate as a DevSecOps Pipeline platform.
And how is the communication between the teams?
Another point that should be taken into consideration during the evaluation process of a platform is how it allows efficient communication between teams. Platforms created to organize these processes allow information to flow in all directions, and teams can exchange data and information about corrections in a clear and objective way, and this happens naturally in AppSec Flow.
It is important to ensure that the platform comes to ensure that each and every vulnerability correction process is carried out in the same way, regardless of who is executing the correction. Thus, it is important that there is the possibility of standardizing the actions that must be performed, ensuring that, in some way, they are validated.
Vulnerability management as a strong point
At Conviso, we have also experienced all these obstacles many years ago. And that’s exactly why we decided to build a platform that could help solve these problems and make the lives of managers and developers easier and more productive.
In a way, it was our own challenges that showed us the way. So we built AppSec Flow – a SaaS platform focused on DevSecOps Pipeline, which has in its Vulnerability Management module one of its strengths. It’s important to point out that the product has many other features, but in this article, we focus on this module
How Vulnerability Management works in AppSec Flow
The Vulnerability Management module provides a structured process for those involved in vulnerability discovery, analysis and correction that enables them to access all the data from other tools they may already use.
AppSec Flow, through its API, enables integration with tools that can deliver information that will make a difference during the process.
However, even with all this information being sent to it, it keeps control and the organization delivering the information in the way and at the time that the analyst or even the manager needs it.
Keeping track of the “status” of various analyses is much easier when using the AppSec Flow dashboard – and this allows the manager to keep the process organized.
In the Vulnerability Management module, the manager or developer will get an overview of everything that’s going on with their anaĺises, in a clear and efficient view.
But even with all this ease of access care, our system maintains strict control over who can or can’t access a particular analysis or vulnerability. This allows us to micro-manage the accesses, which can even be guaranteed to third parties.
In this screen, we can have a series of information that will make a manager understand the scenario they are dealing with, and also understand how the vulnerabilities are being treated throughout their process. The platform provides good information about the criticality of the vulnerabilities found in each of the analyses, and at which point in the process they are.
But we can go deeper. We can further detail the information, showing that control and information are also the focus of vulnerability management.
It can be seen on this screen that the amount of information we have about a vulnerability allows us to have a managerial view of what we can and can’t do with it.
With this type of organization, we quickly get a timeline of the analysis, and then we know how many vulnerabilities we have and at what point in time we have each of them.
The control over the history is complete, and allows, for example, to show in audit cases a line of actions that occurred in the process of vulnerability correction.
Reinforcing: it is important to ensure that knowledge is not lost and that it is available for consulting in other situations.
Following the same principle, we can have access to all the vulnerabilities found for this analysis, and in a clear and easy way, we can identify their criticality and the amount of components of our system affected by this vulnerability.
If there is a desire to observe each vulnerability in detail, or even understand what happens when one of them is exploited, it is possible to access each one and have more details.
In this image, we can see how complete the screen is, and how the information is presented to us in a way that makes our understanding easier.
The image above shows us a description of a vulnerability, its criticality and classification. It also shows steps for the developer to reproduce the vulnerability and clear evidence that it actually exists in their system.
There are many features that AppSec Flow has in its Vulnerability Management module. We understand that using the platform and its full potential is the best way for the manager or developer to realize that there is still room to improve their vulnerability management process.
We, from Conviso, are here to deliver a well thought platform built to help on this path, supporting this process and many others.