How to hone an effective vulnerability management program

Last updated:June 2014

Editor's note

Security teams deal today with a barrage of new, rapidly evolving threats. An effective vulnerability management program is essential if an enterprise is going to survive in the modern threat landscape. This guide offers information and advice on topics -- like risk assessment, penetration testing, and patch and configuration management -- that security professionals need to know to craft an effective vulnerability management program.

1Penetration testing

A vulnerability management program that's effective is one that's been thoroughly tested. Penetration testing is the search for security vulnerabilities in a system, network or application. The idea is to locate the weaknesses before an attacker does and eliminate them. In this portion of the guide, you'll get advice from several experts on what works best when it comes to organizing and carrying out a penetration test. There are risks involved, as with any security effort, but also new enhancements to pen testing to consider, like the use of social engineering methods.

2Ethical hacking

While pen testing is essential for security, there are right and wrong ways to go about it. A concept called "hacking back" has become popular but is still being developed, as well as debated. What's clear so far is that to "ethically" hack a system, you need to establish both policy and processes. The experts here weigh in on how to do both. Still, it's worth noting that some industry heavyweights, like Gary McGraw, argue that hacking back is the wrong way to think about the problem of system and app security. In this segment of our guide, you'll learn about the concept and the ongoing arguments in this still-evolving area of security.

3Patch management

Testing a system inevitably reveals security gaps that must then be addressed. In this segment, learn the risks involved in patching in an era of zero-day exploits. Even without external threats, patching can be tough, and some are tougher than others. Read on and you'll come away better equipped to tackle particularly challenging fixes, and you'll also learn how to do so with a minimum of expense.

4Risk tutorials

Creating a vulnerability management program from the ground up requires first understanding where your security gaps are, devising a plan to fill them and then deciding how to make the fixes. That means acquiring the tools. The links here lead you to informative presentations about a range of security vulnerability tools.

5More from the Dummies author on vulnerability assessment

The preceding segments of this guide address a range of issues related to managing system vulnerabilities. But as expert Kevin Beaver knows, a huge part of maintaining security is remaining flexible and adapting to changing technology and attack methodologies. In this segment Beaver relates his on-the-ground experiences in coping with the changing threat landscape.

6Defining the terms

The information security field is loaded with sometimes confusing terminology and acronyms; the subfield of vulnerability management is no different. But here we've gathered a concise glossary for easy reference.