Flexera Recommends Taking a Standardised, Risk-based Approach to Managing Vulnerabilities Including Spectre and Meltdown

Share Article

Three-Pronged Approach Helps CIOs Allocate Scarce IT Resources to Remediate Risky Security Vulnerabilities

Flexera, the company that’s reimagining how software is bought, sold, managed and secured, today announced recommendations for a standardised, risk-based approach to managing vulnerabilities such as Spectre and Meltdown. Flexera’s three-pronged approach, based upon internal expertise around vulnerability remediation and intelligence harvested from Secunia Research’s Advisories, advises organisations to:

1. Determine Criticality: Determine actual Spectre/Meltdown risk criticality using verified vulnerability intelligence
2. Prioritise: Prioritise remediation of known vulnerabilities based on criticality – not hype
3. Fix Using Conservative Mitigation Approach: Apply patches with an emphasis on testing in controlled environments

“There’s no doubt companies should be concerned about Spectre and Meltdown. But since these vulnerabilities came to light on January 3, Secunia Research at Flexera has published dozens of advisories on unrelated, highly critical vulnerabilities. If weaponised, exploitation of these vulnerabilities could have a devastating impact on organisations,” said Kasper Lindgaard, Director of Research and Security at Flexera. “With more than 17,000 vulnerabilities disclosed within the past year – how do organisations know where to allocate scarce IT sources to minimise risk? They need access to verified vulnerability intelligence and must take a common-sense, risk-based approach to applying patches. Otherwise they’ll be forever chasing shadows from one sensational news cycle to the next.”

Understanding True Spectre/Meltdown Risk
The Spectre and Meltdown processor vulnerabilities are documented in three CVE’s (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715). While these vulnerabilities are indeed pervasive and potentially harmful – to truly assess risk, CIO’s need deeper vulnerability intelligence (beyond a basic CVE score). This deeper intelligence should provide product context that takes into account attack vectors and possible security impact, allowing security teams to look beyond speculation commonly hyped by the media.

To date, Secunia Research at Flexera has issued more than 35 vulnerability intelligence advisories linked to Spectre/Meltdown, and most were scored below “Moderately Critical” (Criticality scores of 1 to 3 out of a maximum score of 5). This would suggest that while Spectre/Meltdown vulnerabilities are important – other more critical unpatched vulnerabilities within the environment could present a more immediate threat.

Prioritised Patching
Once CIO’s get an accurate understanding of the risk to their environments, they can put into place common-sense, risk-based remediation plans. This will ensure they’re prioritising those risks and allocating scarce IT resources accordingly.

“Because of its massive scale, Spectre/Meltdown has dominated the headlines for the last couple weeks. But prudent CIO’s shouldn’t take their eye off the ball,” said Lindgaard. “By identifying the vulnerabilities that could pose the greatest harm and prioritising remediation efforts to those first, organisations can most efficiently and cost effectively minimise risk.”

Conservative Mitigation
With risk and prioritisation established, organisations should then apply patches with an emphasis on testing in controlled environments. Using established processes and tools to aid in identifying possible, unintended consequences ensures understanding ahead of time the potential performance hits and compatibility issues of patching.
“Patching is essential to reduce the attack surface, but it must be done prudently and with an understanding ahead of time of potential impacts on system performance and stability,” added Lindgaard. “Mitigation should happen carefully and conservatively, with a focus on risk-based models.”

Follow us on…

Resources:
Download the Vulnerability Review 2017

Learn more about:

About Flexera
Flexera is reimagining the way software is bought, sold, managed and secured. We view the software industry as a supply chain, and make the business of buying and selling software and technology asset data more profitable, secure, and effective. Our Monetisation and Security solutions help software sellers transform their business models, grow recurring revenues and minimise open source risk. Our Vulnerability and Software Asset Management (SAM) solutions strip waste and unpredictability out of procuring software, helping companies buy only the software and cloud services they need, manage what they have, and reduce compliance and security risk. Powering these solutions and the entire software supply chain, Flexera has built the world’s largest and most comprehensive repository of market intelligence on technology assets. In business for 30+ years, our 1200+ employees are passionate about helping our 80,000+ customers generate millions in ROI every year. Visit us at http://www.flexera.com.

About Secunia Research at Flexera
Secunia Research at Flexera is a research team with globally recognised expertise in discovering, verifying, testing, validating and documenting vulnerabilities on tens of thousands of applications and systems. Our experts work under strict ethical guidelines and collaborate with the research community and software producers to guarantee the quality of the vulnerability information we document.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Nicola Males
Vanilla PR
+44 +447976652491
Email >

Vidushi Patel
Vanilla PR
+44 7958474632
Email >