Q&A: Vulnerability management
by Mirko Zorz - Wednesday, 19 August 2009.
Eric Perraudeau is the product manager for QualysGuard vulnerability management (VM) solutions. Prior to Qualys, Eric was a security engineer at Accor and Morse in France. In this interview, Eric discusses the many facets of vulnerability management.

What are the most important steps in the vulnerability management process? What technologies are essential?

When you start the process of managing security vulnerabilities within your organization, there are a few essential steps to make it successful, including:

1. Discover your IT assets and determine the network boundaries.

2. Organize and categorize these assets according to your organization and by business risk, for example:
  • Geography / Function / Technology groups
  • Classified by business risk analysis
  • Remote or centralize administration with multiple user accounts
  • Business Units.
3. Assess the security of these assets on a regular basis in order to discover any new vulnerabilities or misconfigurations.

4. Generate reports and prioritize remediation plans communicated to the correct stakeholders, for example:
  • Executive report with global/transversal metrics
  • Differential reports to measure the improvements and progress of patching.
5. Fix the vulnerabilities and…
  • Implement a patch management process/technology
  • Change management process is needed for production systems
  • Test patches before deploying in production
  • Deploy secured configuration policies
  • Update security policies regularly.
6. Verify and monitor the security improvements.

While all the steps mentioned are extremely important, to get an optimal outcome you will really want to focus attention on the prioritization and reporting aspects. Specifically:

Prioritization: vulnerability scans can generate a lot of data and you can be lost in these details. In order to know where to start the process or how you can improve it, prioritize the results based on:
  • Importance of the assets
  • Severity of the vulnerabilities
  • A risk analysis of your assets/network is a good start point: “What assets are important for my company in order for the business to continue to run without interruption?”. Then create an inventory of these applications and assets that are the most important to your business operations.
Reporting: reports should be relevant to your organization and consistent over time. It allows you to measure the progress over time and make sure the same security and patching methodology is used everywhere. The prioritization will also help you to generate accurate technical reports that you can rely on.

In regards to essential technologies, look for:

Scanning technology/architecture that is:
  • Scalable and easy to deploy: As your network will change over time (company growth, acquisitions, re-organization etc.) you need to have a scanning technology that can easily evolve and adapt to support these changes.
  • Accurate: no false positives in order to focus on real vulnerabilities that need to be fixed
  • Universal: should support all the OS’s and products deployed in your company in order to one solution that can give you the coverage you need.
Patch deployment tool/process: a solution that is able to deploy patches, configuration, scripts, software, and security policies. This solution should also provide a way to test and approved the packages before a global rollout, and manage exceptions.


MagSpoof: A device that spoofs credit cards, disables chip-and-PIN protection

The device can wirelessly spoof credit cards/magstripes, disable chip-and-PIN protection, and predict the credit card number and expiration date of Amex cards after they have reported stolen or lost.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th