How are Vulnerabilities Discovered?
Vulnerabilities are discovered through many different avenues—both internally by developers who write software and externally by third parties who intentionally look for vulnerabilities in software. Internally, software companies and technology vendors will conduct security testing during software development before putting software into production and making it available to the public. Externally, good-faith security researchers and malicious threat actors constantly look for vulnerabilities in popular software. Some vendors even have bug bounty programs where they award researchers for discovering and disclosing vulnerabilities to them.
How are Vulnerabilities Disclosed?
The main goal of disclosing vulnerabilities is to reduce the risk of end users’ systems becoming compromised by a threat actor who exploits an unpatched vulnerability. Typically, companies and security researchers follow a coordinated vulnerability disclosure process where both entities wait until the vulnerability has a working patch assigned to it that mitigates further interference from threat actors. Once a patch is ready, the vendor will release the patch alongside a statement that a vulnerability was discovered and that a patch has been released. After a vulnerability has been formally patched, the vulnerability will be logged into the Common Vulnerabilities and Exposures Database (CVE).
How are Vulnerabilities Managed?
For organizations to adequately protect themselves, they must implement a comprehensive risk-based vulnerability management process. While large organizations are able to hire staff expressly for discovering and patching vulnerabilities, a small organization with limited resources can benefit from an established process that thoroughly assesses risks and prioritizes patching and mitigation based on the level of risk.
Cybersecurity is an ever-evolving challenge and experts must keep up to date with best practices. Events like Black Hat and DEF CON, and insights from our vulnerability white paper, play an important role in helping cybersecurity professionals keep current on how to best protect data and systems.
Download your copy of the report here, “Understanding Vulnerabilities: Insights Into the World of Software Vulnerabilities and Vulnerability Management.”
Visit our online Cybersecurity Center to explore additional resources.