The National Institute of Standards and Technology advises when known software vulnerabilities are unmanaged, uncorrected, or undetected; attack vectors are open to exploitation. As a result, vulnerable software becomes a key target that attackers can use to initiate an attack on an organization’s network and expand control to attack other components on the network. However, an automated assessment of known software vulnerabilities and weaknesses helps verify that the software vulnerability management capability is working, NIST reported.
To facilitate this effort, NIST and Department of Homeland Security (DHS) researchers have developed an automated process to assess the effectiveness of the security controls that provide the information security capability known as Software Vulnerability Management (VULN), the focus of which is to manage risk created by defects present in software on the network.
NIST Interagency Report (NISTIR) 8011 Volume 4, Automation Support for Security Control Assessments: Software Vulnerability Management, provides an operational approach for automating security control assessments to manage vulnerabilities in software. This approach is consistent with the NIST Risk Management Framework as described in NIST Special Publication (SP) 800-37 and the guidance in NIST SPs 800-53 and 800-53A, in particular.
A total of 13 volumes are planned for NISTIR 8011. This approach is consistent with the NIST Risk Management Framework as described in NIST Special Publication (SP) 800-37 and the guidance in NIST SPs 800-53 and 800-53A, in particular. Volumes 1 and 2 were published in 2017, and Volume 3 was published in 2018. Subsequent volumes will provide details specific to each capability and will be organized similarly to Volumes 2 through 4.
The NISTIR 8011 capability-specific volumes focus on the automation of security control assessment within each individual information security capability. They add solid detail to the more general overview given in NISTIR 8011 Volume 1, providing a template for transition to a detailed, NIST standards-compliant automated assessment. Volume 4 of NISTIR 8011 addresses the management of risk created by defects present in software loaded on a network, NIST explained.
Software vulnerability management, within the scope of the draft, focuses on known defects discovered in software in use on a system. The Common Weakness Enumeration (CWE) provides identifiers for weaknesses that result from poor coding practices and have the potential to result in software vulnerabilities. The Common Vulnerabilities and Exposures (CVEs) program provides a list of many known vulnerabilities. Used together, CVE and CWE identify software defects and weaknesses that cause a particular defect, NIST advised.
Attackers exploit vulnerable software to initiate an attack internally and to expand control within an organization’s network. Once inside, bad actors can install malware, steal intellectual property and cause users to doubt the authenticity of data, to name just a few nefarious outcomes.
"Patching vulnerabilities discovered in existing software and improving coding practices for future software releases are two ways to limit the success of attacks," NIST said.
Download the NISTIR 8011 Vol. 4 (Draft)
A public comment period for this document is open through Dec. 20, 2019. Please email comments to: firstname.lastname@example.org