Lifecycle model for managing unknown vulnerabilities

Codenomicon released its Unknown Vulnerability Management (UVM) Lifecycle model, a security assurance process, which focuses on unreported vulnerabilities. The UVM model helps companies and organizations find and fix unknown vulnerabilities, before anyone has a chance to exploit them.

“Unknown vulnerabilities are the biggest threat to IT systems, because there are no defenses for attacks against them,” says Ari Takanen, CTO of Codenomicon. “Thus, finding and fixing unknown vulnerabilities in in-house and third party software should be the number one security priority.”

The most effective way to protect software is to fix critical vulnerabilities proactively. In all types of cyber attacks, the initial access is enabled by a vulnerability in an open software interface. Vulnerabilities also cause quality and interoperability problems.

Numerous solutions exist for handling known, reported vulnerabilities, but Codenomicon’s Unknown Vulnerability Management Lifecycle is the first model for managing previously unknown vulnerabilities. The Codenomicon UVM solutions can not only be used to secure networks, devices and applications, but also the software used to protect them, namely firewalls, VPNs etc.

“Codenomicon’s solutions are used by top governments and leading software companies, operators, service providers and manufacturers to secure critical networks and to provide robust and reliable products and services,” says David Chartier, CEO of Codenomicon. “The launch of the Unknown Vulnerability Management Lifecycle makes proactive security testing accessible to a wider audience.”

The core technology behind Codenomicon’s UVM model is Fuzzing, a technique used by hackers to find unknown vulnerabilities. Unlike other testing tools, Fuzzers do not look for particular vulnerabilities. Instead, they use modified inputs to trigger vulnerabilities, thus they can discover both known and unknown vulnerabilities. Codenomicon’s Defensics Attack Simulation Engine is the only state-aware Fuzzing platform.

It can interoperate with the tested system and target areas most prone to vulnerabilities, while maintaining broad coverage through automatic test generation.

The Unknown Vulnerability Management process consists of four phases: Analyze, Test, Report and Mitigate. The whole process is covered by automated testing tools. In the first phase, the Codenomicon Network Analyzer is used to form a comprehensive picture of the entire network with automatically created visualizations. Once all the open interfaces are identified, they can then be tested for vulnerabilities with Codenomicon’s automated Defensics test tools.

All the expertise needed to carry out the tests is built into the tools. The Defensics tools also contain automated features for generating different levels of reports, reproducing vulnerabilities, performing regression testing and verifying patches.