New guidelines from NIST stress the need for accurate vulnerability assessment and disclosure

In the second half of 2022, cyberattacks against governments increased an alarming 95% in frequency, placing federal agencies in the crosshairs of bad actors. The ever-increasing digitization of government services coupled with the constant barrage of cyber threats targeting the public sector means it is more imperative than ever that agencies continuously improve their processes around disclosing and remediating security incidents. 

One of the key hurdles agencies face is the management of assets and data when reporting vulnerabilities and assessing their severity. Communicating information about vulnerabilities and threats in a clear, concise, and unified manner helps ensure that the right stakeholders are notified quickly and can initiate the appropriate response measures; an effort that some agencies struggle with due to inadequate processes and tools. 

To guide the government down a more effective path, the National Institute of Standards and Technology (NIST) has released NIST Special Publication 800-216, which outlines recommendations for the tactical steps agencies should take during vulnerability assessment and disclosure. With these new guidelines from NIST, agencies now have an informal framework to follow for more adequately assessing and remediating risks, ultimately improving security measures through more accurate and detailed reporting. 

Detailed vulnerability disclosure with proof-of-concept

The release of these guidelines from NIST marks a significant step forward in transparency and responsiveness for the public sector. It’s not just about assessing the information as it comes in but also about efficiently disseminating that information to other government agencies and the general public so the right actions are taken across the board. 

The NIST guidance notes the need for “source vulnerability reports” that provide a detailed breakdown of affected products or services, vulnerability identification, and functional impacts that vulnerabilities may have on systems and services. These reports could include, among other elements:

• Class or type of vulnerability
• Proof-of-concept code or other substantial evidence
• Tools and steps to reproduce the vulnerable behavior
• Impact and severity estimate
• Disclosure plans 

Proof-of-concept code with evidence is a critical component of this list – until vulnerabilities are verified, it’s difficult for agencies to know their precise security risk and what to do about it. False positives are a common issue for teams that use less-than-reliable or inaccurate tools, and they often add unnecessary steps of manual verification. In application security, agencies can get around this by opting for automated security testing tools with features like proof-based scanning, which safely exploits and identifies vulnerabilities to provide evidence that an attack is possible, along with detailed information about potential impact and which remediation steps are best to take. 

With that immediate and reliable proof in hand, communicating critical details and next steps across agencies becomes even more manageable. Coupled with reporting mechanisms that provide deeper clarity, agencies will have more efficacy in assessing the validity, severity, scope, and impact of vulnerabilities, and can communicate that information clearly. 

Shifting to DAST can help with accuracy and speed in reporting

The guidelines from NIST come on the tailwind of President Biden’s National Cybersecurity Strategy released in March of this year, which has encouraged a more comprehensive and modernized approach to security for the public sector – including heightened accuracy in reporting. With these changes taking hold throughout the government in recent years, federal agencies are reaching a level of preparedness that is enabling them to implement and scale core DevSecOps practices, like embedding accurate, automated scanning throughout the software development lifecycle for a more proactive approach to security that, in turn, enables faster remediation and reporting. 

As federal agencies have historically seen hurdles with technology adoption, tight budgets, and culture changes around cybersecurity, streamlining access to critical and reliable resources can mean preventing a potential $2.07 million breach cleanup (the average cost for public sector incidents in 2022, according to IBM). Many agencies and organizations are achieving a  balance of accuracy, automation, and speed by moving to a streamlined set of tools that includes dynamic application security testing (DAST). 

We know from the Fall 2022 AppSec Indicator report that 99% of public sector organizations consider investing in DAST to be a top or high priority. With good reason: DAST enables the swift detection of vulnerabilities by testing a running application against real-life attacks. And, when paired with proof-based scanning, Invicti’s DAST solution provides a stamp of confirmation on real vulnerabilities so that DevSecOps teams are able to move forward quickly, leapfrogging otherwise time-consuming manual verification.

Having full confidence in the results of their security scans, agencies can then share this information in their source vulnerability reports to provide an accurate and complete picture of the risk – as well as critical required remediation steps and best practices for future prevention.

To learn more about accurate scanning and reliable reporting in application security, read our technical white paper on generating proof and avoiding false positives.