Vulnerability Response (VR)
Vulnerabilty Response (VR)
Vulnerability Response is the overall set of processes and practices that deal with the existence of vulnerabilities in systems. VR encompasses everything from reducing the introduction of vulnerabilities as part of a Secure Development Lifecycle (SDL) through the remediation of deployed vulnerabilities via patch deployment.
Resources
Below are a few resources for further reading on these topics:
- Threat Modeling is Adam Shostack's book on the subject.
- SEI CERT Coding Standards is a collection of coding standards from the CERT Division of the Software Engineering Institute.
- Cybersecurity Engineering Research: Security Engineering Risk Analysis (SERA) Collection is a collection of resources on the topic from the CERT Division of the Software Engineering Institute.
Vulnerability response in the design and development phases often takes the form of practices such as Threat Modeling, Secure Coding, and Software Engineering Risk Analysis.
However, such practices seem unlikely to ever completely eliminate vulnerabilities from being introduced into released software and deployed systems. For those vulnerabilities that do escape detection by these early lifecycle practices, it remains necessary to plan for their eventual discovery and disclosure.
The goals of vulnerability response include the following:
- Limit attacker advantage over defenders.
- Reduce the population of vulnerable product instances as quickly as possible.
- Reduce the impact of attacks against vulnerable systems.
Incident Response vs. Vulnerability Response
Sometimes the term Incident Response is used synonymously with Vulnerability Response. These two concepts are related, but different; Vulnerability Response specifically indicates responding to reports of product vulnerabilities, usually via the CVD process, whereas Incident Response is more general and can also include other security events such as network intrusions. We will generally stick to the Vulnerability Response terminology since this work is specifically about CVD.