SecTemplates.com

Introduction

Several times in my enterprise security career I experienced challenges when it came to security defect/vulnerability handling and management.

1. When I joined eBay in 2006, the security team was fairly small and I recall filing a cross-site scripting vulnerability to an engineering team with a specific priority level. However, another coworker from a different team was consulted on the issue and indicated that the priority was lower. It quickly became apparent that within the security team, we lacked a common agreement on how priorities should be set or how vulnerabilities should be managed and responded to.
2. When I joined Paypal the security team was about 5 people, and I joined as the first application security engineer. During my tenure there I had to build what would now be called a 'vulnerability management program' from scratch. Through trial and error an initial program was developed. I touched on aspects of the program I built back in 2009, and again in more comprehensively in 2011 on one of my other side projects. 
3. When I lead application security at Box Inc, it was more of the same, we had similar challenges and had to create a program from scratch. Some of our solutions involved automation, much of which will be discussed in this program pack.
   

Having spoken with many peers who have built, or own enterprise vulnerability management programs, many of them are utilizing simplified versions of more comprehensive programs others have blogged about.  During these interviews with my peers it became obvious that most of us weren't doing anything fancy, and most of us were doing far less than larger, more mature companies.

At every company I've worked at with a VM program, there have been many 'gotchas' that slowed things down and caused headaches. The goal of this release pack is to share what I have found to work well enough to establish a minimal vulnerability management program, and get you from 0-1.

- Robert Auger (@robertauger)

Vulnerability Management Program Pack 1.0

Welcome to the Vulnerability Management Program Pack. The goal of this release is to provide all the necessary resources to establish and set up a fully functioning vulnerability management program at your company.

In this pack, we cover:

Vulnerability Level Definitions: This document outlines vulnerability severity levels to help your company consistently evaluate and prioritize discovered issues. It also provides standard remediation SLAs as a baseline for setting remediation expectations.
Vulnerability Reporting Requirements: This document describes the minimal information needed in a vulnerability report to support evaluation and prioritization. It also includes examples of automation that can be used to report vulnerability remediation expectations to risk owners.
Vulnerability Program Preparation Checklist: This checklist provides a step-by-step guide to researching, piloting, testing, and rolling out vulnerability tracking at your company. It also discusses examples of automation for tracking vulnerability ticket health and oversight.
Vulnerability Management Process Diagram: This diagram outlines the various steps to perform when automation runs, ensuring stakeholders are well-supported and ticket health is properly managed. It aligns with the content in the Vulnerability Program Preparation Checklist.
Vulnerability Management Runbook: This runbook contains the steps outlined in the process diagram as a checklist, with a strong focus on ticket health oversight and stakeholder support.
Vulnerability Management Metrics: This document outlines common, baseline metrics for managing vulnerabilities at your company.

Download on Github:

https://github.com/securitytemplates/sectemplates/tree/main/vulnerability-management/v1

To provide simplified, free, and usable open-source templates to enable engineering and smaller security teams to bootstrap security capabilities in their organizations.