Vulnerabilities are the weaknesses in the system that can be exploited by attackers; these can disrupt systems and businesses as well as expose sensitive or personal information.
Not all vulnerabilities are of the same severity. Similarly, not all assets are of equal importance or are equally accessible to an attacker. This is the reason why a vulnerability management program is required.
A vulnerability management program allows you to consistently gain visibility on the vulnerabilities in your environment, identify and prioritize treatment activities, and provide means to coordinate across different teams for the closure of identified vulnerabilities.
SIRP’s vulnerability management module enables you to manage the end-to-end lifecycle of your vulnerability management program.
Technical Vulnerabilities
This is a repository of software and application-related vulnerabilities, which can be used to tag against assets during a Vulnerability Assessment or Penetration Testing exercise.
To manage the list of Technical Vulnerabilities, navigate to the Vulnerability Management page, open the Main Menu, and select Administration. Once the Administration section is displayed, select the Vulnerability Management tab at the top of the page, and then Technical Vulnerabilities under that.
Main Menu > Administration > Vulnerability Management > Technical Vulnerabilities
This page displays the list of all available technical vulnerabilities.
To add a new vulnerability, click on the Create Vulnerability button at the top. Clicking on the button will display a popup.
Enter the Name of the vulnerability
Select its Severity
Add details of the Threat that has the potential of exploiting the vulnerability
Add Impact details
Add the recommended Solution details
Click Create
The newly added Technical Vulnerability will appear in the main list. You can either edit or delete any of the existing or newly created records
Non-Technical Vulnerabilities
Non-technical vulnerabilities are different from technical ones in a way that these vulnerabilities are used in the risk assessment process. These vulnerabilities can be related to logical or physical security as well. To identify non-technical vulnerabilities, tabletop exercises are performed instead of any tool or software.
The handling process of these vulnerabilities runs through the risk treatment plan from where you can open a case against each action item.
To manage the list of non-technical vulnerabilities, navigate to the Vulnerability Management page, open the Main Menu, and select Administration. Once the Administration section is displayed, select the Vulnerability Management tab at the top of the page, and then click Non-Technical Vulnerabilities under that.
Main Menu > Administration > Vulnerability Management > Non-Technical Vulnerabilities
This page displays the list of all available non-technical vulnerabilities. By default, SIRP provides a list of 200+ pre-defined non-technical vulnerabilities.
To add a new vulnerability, click on the Create Vulnerability button at the top. Clicking on the button will display a popup. Enter the Name, Description, and Severity of the vulnerability, then click Create.
The newly added non-technical vulnerability will appear in the main list. You can either edit or delete any of the existing or newly created records.
You can also use the dropdown at the top to adjust the number of records shown on one page, and the Search box to search and filter the vulnerabilities.
Non-Technical Vulnerabilities Severity Levels
SIRP allows you to customize the severity levels of Non-Technical Vulnerabilities. You can define and use your own severity levels based on your organization’s risk assessment methodology.
To manage the list of severity levels, navigate to the Vulnerability Management page, open the Main Menu, and select Administration. Once the Administration section is displayed, select the Vulnerability Management tab at the top of the page, and then Non-Technical Severity under that.
Main Menu > Administration > Vulnerability Management > Non-Technical Severity
This page displays the list of all available Severity levels. By default, you get three Severity levels for your non-technical vulnerabilities:
High
Medium
Low
To add a new Severity level, click on the Create Vulnerability Severity button available at the top of the page. Clicking on the button will display a popup. Enter the Name, and a numeric Value of the vulnerability, then click Create.
The newly added severity level will appear in the main list. You can either edit or delete any of the existing or newly created records. Depending on the risk assessment methodology, the value of these severity levels could be used in your Risk Scoring formula.