Vulnerability Scanning vs Vulnerability Management vs Vulnerability Assessment vs Penetration Testing

Typical vulnerability lifecycle has the following steps:

1. Discover
2. Prioritize Assets
3. Assess
4. Report
5. Remediate
6. Verify

Vulnerability Scanning -> Discover + Scan + Report

Vulnerability Assessment -> Discover + Scan + Prioritize (Asset + Vulnerability) + Report

Penetration Testing -> Discover + Scan + Exploit + Report

Vulnerability Management -> Discover + Scan + Prioritize (Asset + Vulnerability) + Report + Remediate + Verify

Although PT lifecycle is different from VM lifecycle, the steps mentioned in PT are for comparison purpose only. Also as a VM analyst, one has to manage exceptions and analyze false positives which I think can be considered a part of "Remediate" step.

Happy Learning !!

Vulnerability Management - Sudden Surge

Sometimes you would observe a sudden surge in a vulnerability in regular scheduled reports. Also, you would not have observed the vulnerability in past but the first discovered dates are 6 months or perhaps years old.

Following are the points you can consider to find cause of the sudden surge:

1. Scanning vendor changed the severity of the vulnerability

For e.g. Consider a report. The report excluded severity 1, 2 and 3 vulnerabilities. But, severity of the vulnerability was changed from 3 to 4 because of which the vulnerability started appearing in the report. Also, if you shift from one scoring system to another, you can observe such a surge.

2. Scanning vendor changed the detection logic of the vulnerability

For e.g. The detection logic flagged a particular version of a software as vulnerable. But then it was decided by scanning vendor to change the detection logic to exclude the version. But after some time, again the detection logic started flagging the version.

3. Search list was modified

For e.g. Consider a report. The report included a search list as a filter to exclude few vulnerabilities. The search list was modified by a team member and the (QID/Plugin ID) vulnerability was removed.

Happy Learning !!

Vulnerability Management - Vulnerability Detection Pipeline

Received information about a zero day vulnerability from TI team ? Then you checked Qualys KB to find if the signature is published by Qualys or not and found that the signature is not yet released. What will you do now ? Create a case with Qualys to create the signature ? Yes .. You can do that but Qualys also has a platform known as Vulnerability Detection Pipeline which you can refer before creating the case.

The VDP is intended to give users an early insight into some of the CVEs the Qualys Research Team is investigating. It may not show all the CVEs that are actively being investigated. Specific CVE feature requests filed via a Qualys Support case may or may not show up on this page.

Please refer the below links for more information:

https://community.qualys.com/vulnerability-detection-pipeline/

https://blog.qualys.com/vulnerabilities-threat-research/2020/09/16/vulnerability-detection-pipeline-beta

Happy Learning !!