How Code to Cloud Context Equals Success

While Hacker Summer Camp is right around the corner, I was taking time to reflect on RSAC back in April and loved a conversation around code to cloud context in application security. So, here it goes...

When it comes to cybersecurity, the term ‘critical vulnerability’ can elicit a sense of panic and urgency. Organizations, driven by the need to protect their digital assets, often scramble to address these vulnerabilities, sometimes at the cost of disrupting other equally important tasks. However, what if the conventional approach to prioritizing and remediating vulnerabilities needs to be redefined? What if we’ve been viewing criticality through a too narrow lens, one that doesn’t take into account the complex and varied nature of these security risks?

Let’s delve into these pressing questions that were the highlight of a recent RSAC breakfast event hosted by Tromzo and Semgrep. The discussion was led by Jim Manico, a seasoned application security (AppSec) expert, whose insights into secure code development and vulnerability management have shaped the cybersecurity strategies of numerous organizations worldwide. The conversations that unfolded at the event, brimming with divergent views and fresh perspectives, sparked a dialogue that extends far beyond the breakfast table.

Together, let’s navigate vulnerability management, explore the contrasting views on vulnerability remediation, and examine a potential third option for a more effective approach. Whether you’re an AppSec practitioner, a CISO, or simply interested in cybersecurity, this breakfast conversation holds valuable insights and potential solutions to the criticality conundrum.

About Jim Manico and His Experience in AppSec

Let’s take a moment to appreciate the man who ignited the lively discussion at the RSAC breakfast event. Jim Manico is no ordinary figure in the realm of application security (AppSec). A veteran in the field, his journey has spanned over decades, during which he has helped countless organizations bolster their security programs. His expertise in secure code development and vulnerability management is rooted in not just theoretical knowledge, but a wealth of practical experience. This blend of theory and practice gives Jim a unique perspective, which is highly respected and sought after in the industry.

While Jim’s role as an AppSec expert is invaluable, what truly sets him apart is his commitment to education. Jim has dedicated a significant part of his career to traveling the world, training teams on secure code development. His educational sessions provide an intimate glimpse into diverse security programs and their vulnerabilities, enabling him to guide teams towards robust AppSec practices. This commitment to global education has not only elevated the standards of AppSec but also instilled a culture of security awareness in organizations worldwide.

One of the most poignant observations shared by Jim during the RSA breakfast event was a deeply concerning trend he had noticed in many organizations. Despite being aware of thousands of vulnerabilities in their systems, a surprising number of which were rated as ‘critical’, these organizations often showed little to no progress in their remediation efforts. This gave way to a passionate discussion about the various approaches to vulnerability management, their effectiveness, and the potential for improvement.

Why do organizations continue to choose to not close Critical vulnerabilities?

The Engaging Discussion Sparked by Jim’s Opening Question

Jim’s observation about organizations’ lack of action towards known vulnerabilities sparked an intense and spirited discussion that dominated the breakfast. The audience came to the table with a wide range of reactions, reflections, and robust debates as the attendees grappled with the underlying issues highlighted by Jim. This compelling question seemed to resonate with everyone in the room, exposing tension between understanding the security risk of vulnerabilities and the practical realities of remediation.

The event was attended by an eclectic mix of professionals, all of whom brought their unique perspectives to the discussion. This group consisted of seasoned AppSec practitioners, influential CISOs, and dedicated security heads from various industries. Each participant’s unique background and experiences added depth to the conversation, ensuring that the discussions were as comprehensive as they were enlightening.

A memorable moment during the conversation came from the CISO of a major social networking site. Having previously collaborated with Jim, he offered a counter-perspective on the topic of vulnerability remediation. His stance was rooted in the reality of finite resources and the need to make hard choices.

“I’ve only got so many friend points to spend. Each time I contact my engineering leads and tell them to drop everything to rectify a critical security vulnerability, I spend some of those friendship points”

This statement eloquently illustrated the delicate balance that CISOs often need to maintain between security imperatives and operational realities.

The Contrasting Views on Vulnerability Remediation

The room was split between two main perspectives on vulnerability remediation. On one side, Jim and several AppSec practitioners firmly advocated for the immediate remediation of any identified critical vulnerabilities, emphasizing the potential security risks associated with delay.

On the other hand, the CISO and other heads of security highlighted the realities of resource constraints and the potential disruption to operations, arguing for a more pragmatic, risk-based approach to vulnerability management. This polarity of views underscored the complexity of vulnerability remediation and set the stage for exploring a new, perhaps more nuanced, approach to vulnerability management.

The Need for a Third Option: ‘Door Number 3’

As the conversation continued, it became increasingly clear that the traditional approach to vulnerability management might be oversimplified. What if we had a better way hiding behind Door Number 3? This approach can recognize that not all critical vulnerabilities are created equal and proposes a more nuanced method of prioritization, taking into account additional factors beyond just the severity rating.

To effectively implement this third option, a deeper understanding of your code repositories, CI/CD platforms, artifact registries and cloud platforms is critical. Who else, if not your team, should have the most intimate knowledge of your own infrastructure and applications? Certainly not MITRE or the National Vulnerability Database (NVD). Your team holds the keys to understanding which applcaitions are most critical to your organization’s operations and thus require more immediate and focused attention.

The Benefits of Incorporating Business Context into Vulnerability Assessment

One significant aspect of ‘Door Number 3’ is the incorporation of business context into vulnerability assessment. This approach means that instead of treating all vulnerabilities equally, your team would take into account the business context of each vulnerability. This context could include the type of data the code handles, the operational importance of the affected system, and the potential business impact of a breach.

<aside> 💡 Potential Areas of Focus for Vulnerability Remediation: PII Repositories, Vulnerabilities with Active Exploits, Root Cause Issues Triggering Duplicate Vulnerabilities


Under this new approach, several areas could be prioritized for vulnerability remediation. These might include repositories where personally identifiable information (PII) or other sensitive data is processed, vulnerabilities with known active exploits, or vulnerabilities linked to a root cause that triggers multiple duplicate vulnerabilities in your codebase. By focusing on these areas, you can address a large number of vulnerabilities simultaneously and mitigate some of the most significant risks to your organization.

This shift towards context-aware vulnerability management can also alleviate some of the concerns associated with dependency management and CVSS scores. For example, with added context, you might identify a “load-bearing dependency” that is at the root of numerous vulnerabilities across your stack. By addressing this single dependency, you could effectively eliminate a multitude of related vulnerabilities without getting entangled in individual CVSS scores. This type of targeted, context-aware action could significantly enhance your team’s efficiency in managing vulnerabilities and improve your overall security posture.

The Potential Solution to the Criticality Conundrum: A Nuanced Approach to Vulnerability Management

As we reflect on the thought-provoking discussion at the RSAC breakfast, it becomes evident that the solution to the criticality conundrum might lie in a more nuanced approach to vulnerability management. By adopting the proposed third option, organizations can move beyond the simplistic binary categorization of vulnerabilities and incorporate additional factors into their remediation efforts. This approach brings us one step closer to managing vulnerabilities more efficiently and effectively.

The Importance of Prioritizing Vulnerabilities Based on Potential Impact

An integral part of this nuanced approach is prioritizing vulnerabilities based on their potential impact. Instead of adhering strictly to severity ratings, consider the business context, the nature of the data involved, and the operational significance of the affected systems. By focusing on vulnerabilities that could have the most significant impact if exploited, organizations can more effectively allocate their resources and mitigate the most significant risks to their operations.

Balancing the Needs of Security and Engineering Teams: Preserving “Friend Points” and Addressing Truly Critical Vulnerabilities

Finally, this approach can help strike a much-needed balance between the needs of security and engineering teams. By focusing on the most impactful vulnerabilities and not rushing to patch every single one labeled as ‘critical,’ security professionals can preserve their “friend points” with their engineering counterparts. This careful prioritization ensures that engineering teams are not continually disrupted by emergency patching and that truly critical vulnerabilities are addressed promptly.

In conclusion, the criticality conundrum is a complex issue that demands a sophisticated response. Adopting a more nuanced approach to vulnerability management, as proposed at the RSAC breakfast, can help organizations navigate this challenge more effectively and bolster their overall cybersecurity posture.

If we can help you on your journey to accelerating remediation of risks from code to cloud, we would love to show you how we build a comprehensive software artifact inventory and ownership model with intelligent context from code to cloud – enabling your team to automate the complete remediation lifecycle of issues that truly matter – making sure to preserve those “friend points”.


Rate this article

Recent articles

Solving the Challenges of Engaging with Developers

On a recent episode of the Future of Application Security podcast, Chad Girouard, AVP Application Security at LPL Financial, talked about some of the challenges to overcome...

Read more
What’s Caused the Need for Software Supply Chain Security

On a recent episode of the Future of Application Security podcast, Dave Ferguson, Director of Technical Product Management, Software Supply Chain Security at ReversingLabs, explained why the...

Read more

Ready to Scale Your Application Security Program?

Sign up for a personalized one-on-one walkthrough.

Request a demo

[email protected]

Request a demo