Automation Support for Security Control Assessments: Software Vulnerability Management

1.1 Purpose and Scope

The purpose of the National Institute of Standards and Technology (NIST) Interagency Report (NISTIR) 8011, Volume 4 is to provide an operational approach for automating the assessment of NIST SP 800-53 security controls related to the Information Security Continuous Monitoring (ISCM) security capability of software vulnerability management (VUL). The VUL capability is consistent with the principles outlined in NISTIR 8011, Volume 1.

The scope of this report is limited to the assessment of security controls/control items that are implemented for managing software security vulnerabilities and coding weaknesses, also referred to as flaws, as defined in NIST SP 800-53.

1.2 Target Audience

Because it is focused on the VUL capability, NISTIR 8011, Volume 4 is of special relevance to those who authorize, download, install, and/or execute software—particularly software patches. In addition, NISTIR 8011, Volume 4 is relevant to those who design, code, and test software, and those who wish to understand the risks that software might impose on non-software assets.

1.3 Organization of this Volume

Section 2 provides an overview of the VUL capability to clarify both scope and purpose and provides links to additional information specific to the VUL capability. Section 3 provides detailed information on the VUL defect checks and how the defect checks are used to automate assessment of the effectiveness of NIST SP 800-53 security controls and control items that support the VUL capability. Section 3 also provides artifacts that can be used by an organization to produce an automated security control assessment plan for most of the control items supporting software vulnerability management.

1.4 Interaction with Other Volumes in this NISTIR

Volume 1 of this NISTIR (Overview) provides a conceptual synopsis of using automation to support security control assessment as well as definitions and background information that facilitate understanding of the information in this and subsequent volumes. NISTIR 8011, Volume 4 assumes that the reader is familiar with the information in Volume 1 as well as concepts and terms from the NIST Risk Management Framework.

The VUL capability detects vulnerable software that has been loaded on or is being executed within the target network, and responds in accordance with organizational policy. Identifying vulnerable software allows vulnerabilities to be mitigated. The VUL capability depends on the Software Asset Management (SWAM) capability to provide an inventory of installed software. The inventory is then examined to detect the presence of known vulnerabilities and poor coding practices. Changing configuration settings (the subject of the Configuration Setting Management (CSM) capability in a future NISTIR 8011 volume) can sometimes be used to mitigate vulnerabilities by disabling or otherwise protecting vulnerable software features, especially when patches are not available, thereby supporting software vulnerability management.

In practice, vulnerability scanning software is often used to find vulnerable software. If the metadata used to guide software scanning is organized appropriately, the same digital fingerprints used for whitelisting can be used to accurately and reliably identify vulnerable code as further discussed in Section 2.5.2.3.