by Michael Wager
In the dynamic world of software development, ensuring the security of applications is an ongoing process, not a one-time event. The rise of DevSecOps underscores the importance of integrating security practices within the development lifecycle. One critical challenge in this landscape is the sheer volume and variety of vulnerabilities identified through different scanning tools, such as Static Application Security Testing (SAST), Software Composition Analysis (SCA), or container image scans. It’s crucial for both technical and non-technical stakeholders to understand that security is not a „set it and forget it“ task. New vulnerabilities, especially those arising from the supply chain of software products (like the infamous Log4j), can emerge at any time. This reality necessitates continuous monitoring and remediation efforts.
To address this challenge, our team at secureIO has developed a vulnerability heatmap as an open source project on GitHub. This tool provides a visual representation of vulnerabilities over time, making it easier for non-technical stakeholders to grasp the ongoing nature of security risks and the efforts required to mitigate them.
Introducing the Vulnerability Heatmap
Our Vulnerability Heatmap, detailed in our GitHub repository and available for demonstration here, is designed to offer clear insights into the status of application vulnerabilities. It serves (or soon will serve) multiple purposes, such as:
- Visualizing the number of vulnerabilities: It provides a quantitative view of open vulnerabilities per application, helping stakeholders understand the scope of security issues.
- Highlighting critical vulnerabilities: By showing the most critical and high-risk vulnerabilities found in applications, it enables focused remediation efforts.
- Tracking SLA compliance: The heatmap can visualize the status of applications according to their Service Level Agreements (SLAs), prioritizing remediation tasks based on agreed timelines.
- Combining SLA and Exploit Prediction Scoring System (EPSS): This view helps assess the likelihood of exploitability, providing a realistic view of potential security risks.
- Application-specific insights: It offers a detailed view of vulnerabilities for specific applications, facilitating targeted security measures.
Our heatmap is designed to serve the needs of various stakeholders within an organization, offering the flexibility to extract the precise information each group requires:
- Upper Management (UM): They require a summary of security risks, potential business impacts, and estimated mitigation costs to make strategic decisions.
- App Management (AM): This group needs a summary of vulnerabilities by module to manage project schedules and resource allocation.
- App Teams and DevOps (AT): They focus on specific vulnerability details to prioritize fixes and improvements in the code.
- Product Security Team (PS): Responsible for identifying and assessing vulnerabilities, they use the heatmap to ensure compliance with SLAs and manage overall risk.
- Vendors (VE): They track open tickets and perform regular security assessments, using the heatmap to monitor their tasks.
- Security Champions (SC): These stakeholders stay updated on new vulnerabilities and security trends, leveraging the heatmap for continuous improvement in security practices.
- Regulatory Entities (TG): They require visibility into the level of application security and the measures taken to protect data, ensuring compliance with regulations.
Data Source
The data of the vulnerabilities is coming from DefectDojo, an open-source application vulnerability management tool we also contributed to. A nightly import job fetches data from the DefectDojo API, normalizes it to a unified data structure and stores it into a MongoDB. When the frontend wants to display the data, a simple node.js service is then able to fetch the data fast from MongoDB in order to support realtime visualization.
Conclusion
We are just getting started with our Vulnerability Heatmap, but we are convinced that it can be a vital tool in the modern application security toolkit. By visualizing vulnerabilities and tracking remediation efforts over time, it supports the continuous nature of security monitoring essential in today’s fast-paced development environments and it also bridges the gap between technical and non-technical stakeholders.
Visit our GitHub repository for more details and check out the demo to see the heatmap in action. Our goal at secureIO is to make software safer, one vulnerability at a time!
Try it out!