UC Santa Barbara's Unified Security Posture Management (USPM) program consolidates data from multiple asset and vulnerability discovery tools into one platform for efficient vulnerability triage and remediation.
The Unified Security Posture Management Tooling ServiceNow Knowledge Base article provides a comprehensive list and description of all current tools.
Asset Discovery is a critical component of a mature information security and vulnerability management program. It is not possible to secure assets that you don't know about. Asset Discovery provides operational visibility to assist with managing attack surface, mitigating exposure, and managing risk and compliance. It can also help feed other asset inventory tooling.
The campus Security Operations Center (SOC) manages a vulnerability management program, which is part of UCSB’s comprehensive Information Security program and a vital component of the Unified Security Posture Management initiative.
Vulnerabilities are software or configuration defects that allow an attacker to gain control of a system or disrupt its normal operations.
Critical vulnerabilities generally allow an attacker with network access to a computer to completely take control of the system by running arbitrary code at elevated privilege. In IT security circles, this is called “pwning” a system. The attacker can steal data, disrupt operations, or use the system as a jumping-off/pivot point to attack other systems behind otherwise closed networks. In this way, a critically vulnerable system puts the entire university at risk.
Vulnerabilities rated as high severity may be more difficult to exploit. They may give an attacker less control of a system, but they can severely compromise it, allow data to be stolen or modified, and disrupt normal operations.
Additionally, the risk context around vulnerabilities matters. Vulnerabilities rated as critical or high-severity with exploits occurring in the wild are more urgent to patch than those with proof-of-concept exploits or those without available exploits. System/service visibility (whether a system or service is publicly accessible) also provides vital context to overall risk.
Vulnerability Findings
Vulnerability findings are results identified by an automated security scanning tool or manual assessment conducted by a human (such as a penetration test or bug bounty program). Findings may include:
- The presence of one or more CVEs on an asset
- A system or cloud infrastructure misconfiguration
- A check for compliance or non-compliance with a compliance framework
- A security flaw in a system identified during a manual assessment
UCSB’s Unified Security Posture Management program ingests vulnerability findings from internal tools, third-party reporters, and attack surface management services and systems.
ServiceNow Resources
The web is the portal to business. It’s still true that the browser can talk to backend servers, but more and more applications use web protocols to connect to one another. These webs-of-applications form the basis for many information architectures today.
Regardless of whether it’s a user filling out a form, a piece of Javascript processing transaction data before sending it to a server, or two servers exchanging information, anytime there is a network link between systems vulnerabilities are likely to creep in. Add layers of middleware to the mix and the problem grows.
Application vulnerabilities can happen in all types of systems. For most developers today, web vulnerabilities are the most common. Application vulnerabilities have existed since the first web server permitted a user to provide input to a backend. In the early days, these were generally related to input validation. That’s still true today.
The Open Web Application Security Project (OWASP) Foundation is a not-for-profit charitable organization behind the project, which collects information about web application security challenges and provides information about how to avoid them.
OWASP Top 10
- Top 10-2021 A01 - Broken Access Control
- Top 10-2021 A02 - Cryptographic Failures
- Top 10-2021 A03 - Injection
- Top 10-2021 A04 - Insecure Design
- Top 10-2021 A05 - Security Misconfiguration
- Top 10-2021 A06 - Vulnerable and Outdate Components
- Top 10-2021 A07 - Identification and Authentication Failures
- Top 10-2021 A08 - Software and Data Integrity Failures
- Top 10-2021 A09 - Security Logging and Monitoring Failures
- Top 10-2021 A10 - Server Side Request Forgery
Each year since 2013 OWASP has published a “top 10” list of security vulnerability classes. These have evolved over the years as technologies have changed. What’s common to all 10 is that web application developers have a hand in preventing vulnerable code from going to production by applying secure coding techniques. We encourage you to read about the OWASP Top 10.
One class of attack that has not changed since the foundation of OWASP is Injection. These occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. There are ways to prevent this, and OWASP publishes information about how to implement those best practices.
One of the valuable OWASP resources that developers can use is the collection of “cheat sheets.” Cheat sheets are short documents that describe actionable steps to avoid common vulnerabilities including injection. There are dozens of sheets that detail processes for specific use cases, and OWASP has a master cheat sheet with pointers.
OWASP is the most well-known starting point to understand application vulnerabilities and how to avoid them. As such, many books and training courses have been written that follow OWASP as an outline.
A training resource available on campus is LinkedIn Learning (formerly Lynda.com), which offers several classes in secure software development. These are available at no cost to campus staff members. You can link to LinkedIn Learning through the UCSB Learning Center. Search for “secure software development.”
Testing and quality control are part of any well-managed software development project. There are tools available to help test web applications for many of the vulnerabilities in the OWASP top 10. The campus already gets the benefit of some public services, such as Dorkbot from the University of Texas, which automatically and periodically scans for injection vulnerabilities. If any are discovered, the UCSB Security Operations Center (SOC) will notify the security contact for the website owner.
Application developers should consider other tools and methods to test during the development and release processes. OWASP publishes a testing guide, and many open-source and commercial tools are available.
The SOC maintains a license for Tenable.io, including a limited set of licenses for web application scanning. Development teams can request a scan of a complete application in a Dev/Test environment by submitting a ServiceNow request. These tests can take hours to days to complete depending on the complexity of the application. These tests should be run prior to move-to-production, however they are not suitable for iterative tests during development.
Development teams should consider fully implementing open source tools for licensing one of the many available cloud or on-premise testing tools available. The OWASP testing guide provides a directory of tools.
ServiceNow Resources
With the ongoing prevalence of data breaches and the greater sophistication and pervasiveness of malware, and in particular ransomware, the UC system has enhanced legacy endpoint security (anti-virus or anti-malware) with next-generation endpoint protection. The UCSB Security Operations Center (SOC) monitors endpoint security through advanced Endpoint Detection and Response (EDR) tooling. EDR is designed to address these new sophisticated attacks with features that go well beyond the capabilities of traditional malware protection.