The Center for Internet Security (CIS) provides Critical Security Controls to help organizations improve cybersecurity. Control 7 addresses continuous vulnerability management (this topic was previously covered under CIS Control 3). Continuous vulnerability management is the process of identifying, prioritizing, documenting and remediating weak points in an IT environment.
When Algolia’s security program manager Regina Bluman ran a Twitter poll to see how many people within the security industry understood the concept of EASM, she didn’t expect that the term is far from being on an IT security team’s radar. Moreover, most were not even aware of it.
What’s your role in the vulnerability management process?
Over the years, as a developer, I’ve built and deployed many applications through digital agencies, side projects, startups, and freelance work. With time-sensitive deadlines, client expectations, and delivery dates to consider, security wasn’t usually top of mind when npm installing an open source package. This often led to reworking and cleanup on deployments that had let in known vulnerabilities, adding to compounding timelines and client disappointment.
CVE-2022-23648, reported by Google’s Project Zero in November 2021, is a Kubernetes runtime vulnerability found in Containerd, a popular Kubernetes runtime. It lies in Containerd’s CRI plugin that handles OCI image specs containing “Volumes.” The attacker can add Volume containing path traversal to the image and use it to copy arbitrary files from the host to container mounted path. The vulnerability was reported by Felix Wilhelm on Nov.
Ignore a vulnerability? That sounds like a paradox. Why would anyone want to ignore a vulnerability? While ignoring security issues should not be your default practice, it is still sometimes necessary. Development and security teams today face vulnerability backlogs consisting of thousands of issues. To maintain rapid development, they must be able to effectively prioritize their work.
When protecting an organisation against cyber attacks, the words security threats, vulnerabilities, risk exposure, and sometimes exploits are seen very commonly. Unfortunately, these terms are not used correctly or interchangeably and are often left undefined.
Call me David. As you might have heard, Log4Shell, “the single biggest, most critical vulnerability ever”1 was recently disclosed to the public. You may even have seen us make mention of it here, here, here, or even maybe here. Splunkbase was impacted by way of apps both made by Splunk and third-party developers.
The first few months of 2022 have brought with them plenty of breaches and vulnerabilities for threat experts to sink their teeth into; in March alone, Microsoft has patched 71 CVEs, two of which, CVE-2022-22006 and CVE-2022-24501, were deemed critical–but more on those later. Meanwhile, cloud-based software company Okta has suffered a cyber-attack, believed to be at the hands of threat actor “Lapsus$”, which has put thousands of its 15,000 customers on high alert.
