Vulnerability assessment identifies security risks on assets in the form of software vulnerabilities, missing patches, and configuration weaknesses. It can be used for everything from operating systems and software applications, to Web applications and virtual environments. The data is graded in the form of vulnerability risks. There are many standards for reporting those risks, and even more regulatory standards worldwide that grade the results and set service-level agreements for remediation and prioritization.

The act of performing a vulnerability assessment has evolved tremendously since its inception in the late 1990s. Originally, devices were assessed via TCP/IP and network scanning technology using sequential lists of targets and IP addresses. Today, the technology has evolved to use distributed-state machines, targeting using advanced connectors for technologies like Amazon AWS or VMware, and the ability to assess targets deeply using agent technologies and a variety of credential mechanisms.

An unfortunate absence with all this evolution is that the rating mechanisms (barring CVSS environmental scores) are based on the severity of the vulnerability itself, and unaffected by mitigating controls or criticality of the asset to the services and business processes it provides. Considerations such as how the vulnerability was found and what it actually means to the asset have been ignored.

Take, for example, CVE-2014-160 with a CVSS score of only 5.0. Many of you are familiar with it as Heartbleed. That newsmaking vulnerability can be present on many different types of systems, but all of them have the same critical risk score. It can found on a top Web service or a local system library, but regardless of whether it is active in memory and potentially exploitable or inactive, sitting unused in a library on the disk, vulnerability assessment solutions will report both as critical – despite its industry-standard score. The key difference here is active processes. Vulnerability assessment solutions do not take into consideration the different “states” of a vulnerability.

This white paper discusses three potential states for vulnerabilities that are identified with vulnerability assessment solutions and the business ramifications of remediation strategies. In addition, based on these concepts, the paper will briefly familiarize readers with some new technologies in Retina and PowerBroker that begin to fill the gaps.