Finding Published Vulnerabilities
So now we have a list of the third-party libraries, networked services, and operating systems in use on our network. Wherever possible, we also have version numbers. This list might not be complete, and might never be complete, but it’s still useful. Now we need to see what vulnerabilities have been published for this software.
Searching for vulnerabilities is manual
Searching for vulnerabilities is a manual effort. There isn’t a lot of consistency in how vulnerabilities are reported, and there isn’t a single centralized location for all vulnerabilities across every piece of software in the world. This means you’ll need to combine searches from multiple sources to get a complete picture of the vulnerabilities you’re exposed to.
You’ll need to build up a list of URLs to search manually. This list will be highly specific to your organization. It will most likely contain a combination of the home pages for each piece of software you use, mailing list archives, online forums, Tavis Ormandy’s Twitter stream, RSS feeds, and CVE searches.
Documentation is key
Be sure to document your vulnerability search process. Include specific URLs as well as how to search. In some cases, like the CVE website, this will involve using the search capabilities of a website. In other cases, this will include visually scanning web pages for announcements of security issues. Rotate responsibility for doing this across your team. It’s good to share this work since it can be tedious. It’s also good to avoid siloing this knowledge in a single team member’s head in case someone leaves or takes a vacation. And it’s good to see how different people search for vulnerabilities. Different people will know about different third-party tools in use, so diverse viewpoints will help cover as much as possible. You can’t patch what you don’t know is in use.
Regularly monitor for vulnerabilities
You will want to perform a search for vulnerabilities in your dependencies on a regular basis. Exactly how often? As often as time allows. If it is time-consuming, try to automate it. In time, this should become a reasonably quick activity.
If you’re pressed for time, a compromise may be to search for third-party vulnerabilities on Microsoft’s monthly “Patch Tuesday.” Microsoft has established the practice of releasing patches on the second Tuesday of each month. Since your network probably contains a lot of Windows machines, syncing your vulnerability searches to coincide with Microsoft’s vulnerability disclosure can be a reasonable starting cadence.
Q U I Z