The National Vulnerability Database (NVD) provides a way for vendors to have research into their products publicly disclosed so that people can find and review the latest security information. When discovered, vulnerabilities are given a unique identifier known as CVE – or Common Vulnerabilities and Exposures.
The CVE Compatibility Program is an effort by vendors of security-related software to make sure they can work with each others’ products. The Program helps ensure that a vulnerability properly described and publicly disclosed by one vendor is not re-described as a vulnerability in another vendor’s product.
Through the CVE Compatibility Program, vendors can share information about the vulnerabilities in their products, and this information is included in the NVD database. This comprehensive list of vulnerabilities helps individuals and organizations search for reported security problems and take the necessary action to secure vulnerable systems.
Patch Management Program Details:
The first thing you should know about is what it is and how it works. Patch management is a process that involves testing, approving, and deploying updates to systems to fix vulnerabilities. This includes both the deployment of patches on business systems and the release of code changes for open-source software. The process starts with careful planning where steps are mapped out to avoid any risk that might lead to a security breach or failure, a disaster recovery team is also created in case something goes wrong which makes sure any critical system still works correctly without interruption as well as making sure there are no hardware related risks by checking hardware before installation can start.
Converting the CVE list to Patch Vulnerabilities:
While there is no single formula to convert CVEs into vulnerabilities, this post will hopefully provide helpful guidelines. The goal is to create a list of all vulnerabilities that have been patched with the most recent update.
- Find https://www.cvedetails.com/browse?id=CVE-2018-0109, which is the example CVE we will be using for this post.
- Locate the date 2018/02/14 in the lower right corner and look up to see what vulnerability was patched on that date — “Adobe Acrobat and Reader: Multiple vulnerabilities”.
- Open reader_acres_patch_v3.txt for the Acrobat Reader patch for CVE-2018-4245
- Locate the following vulnerabilities: CVE-2018-4245, CVE-2018-4246, CVE-2018-4247, CVE-2018-4248, and CVE-2018-4250.
Now that we have updated our list with information, we can start making our own rules to convert our list into a table that will make it easier to read and evaluate.
- Please create a new column with the CVE ID number and an easy way to identify what it is for. For example “de-2018-4245”
- Create a new column with the title of the patch, such as: “ACR2HF Patch”.
- Create a new column that will be a function of the patch. For example “Fixed”, “High”, or “Critical”. The reason we are making this separate from our title is that one CVE can have multiple patches. In this case, we make multiple columns for each patch and list them in order in our table. We do not have separate columns for each CVE as that would only add confusion to our table.
- Create a new column with the date of the patch.
- Create a new column with the severity of the vulnerability. We made this formula:
<nowiki>Function in CVE*100000</nowiki
This function is based on the function type that was listed in our title and converts it to a number ranging from 1-100,000. The higher the number, the more severe it is. This may be different than how your company makes its severity list. If so, then you may want to adjust this for your purposes.
- The next step is to establish a process for deploying the patches and new software, this is done by creating an approval process where all patches and new software must pass before being able to deploy on any system from the organization.
- The approval process also includes setting any restrictions or limitations some organizations will not allow patches to be deployed on production systems, for example, other organizations require security tests or audits before deployment.
- Security tests are
performed using penetration testing teams with the help of external
companies or internal teams specifically created for that purpose. It
involves testing each part of a system from outside to identify possible
vulnerabilities, some popular tools used during these tests include:
Aircrack-ng, Burp Suite, Cowpatty. - Once these tests are completed, the patch will be deployed constantly and it is done by regularly checking systems for the presence of the patches and new software. As a final step, it is important to audit any system that has been previously patched to check how the new functionality has affected it.
- With this process in place, it becomes easier for organizations to understand and control their security. Organizations can set goals for how many patches must be available at all times, based on different situations such as vulnerability risk, compliance standards depending on industry sectors and regulations, business policies, or any other factors that might influence patch management in your organization.
Conclusion:
Patch management is a powerful tool for organizations to manage security risk, the plan can be defined to ensure that patches work as expected, and to create policies for handling any events that are triggered by them. It requires careful planning and understanding before an organization can start using it effectively. All members of a department or division must participate in the process because they know the environment better than other people in your department which makes it easier to create patches and new software that will work as expected. Without planning, patch management may lead your organization into disaster.