← [Раздел 08](README.md) · [Главная](../README.md) # Управление уязвимостями ## Цель Построить **vulnerability management (VM)** процесс: от обнаружения CVE до патча в production — непрерывный цикл, связанный с [SCA/SAST](../06-bezopasnost-koda/README.md) и runtime monitoring. ## Предварительно - [incident-response.md](incident-response.md). - CVE, CVSS — базово «оценка серьёзности уязвимости». ## Время ~30 минут чтения + draft VM policy table --- ## VM lifecycle ``` Discover → Triage → Prioritize → Remediate → Verify → Report ↑ │ └────────── new scan / threat intel ───────────┘ ``` **Continuous**, not «once a year pentest». ## Sources of vulnerabilities | Source | Examples | |--------|----------| | **SCA** | npm, pip CVE | | **SAST** | Code flaws | | **Container scan** | Base image packages | | **IaC scan** | Terraform misconfig | | **External scan** | Shodan, vendor advisory | | **Bug bounty / pentest** | Human findings | | **Threat intel** | CISA KEV, vendor bulletins | Centralize in **VM ticket queue** (Jira, DefectDojo). ## Prioritization beyond CVSS | Factor | Question | |--------|----------| | **CVSS base** | Technical severity | | **EPSS** | Exploit probability score | | **KEV catalog** | Known exploited in wild | | **Asset criticality** | Prod payment vs internal wiki | | **Exposure** | Internet-facing? | | **Compensating control** | WAF, network isolation | | **Reachability** | Vulnerable code path used? | **Risk score = f(severity, context)** — not CVSS alone. ## SLA table (example policy) | Priority | Definition | Remediation SLA | |----------|------------|-----------------| | P0 | Active exploitation on our asset | 24h | | P1 | Critical + internet + reachable | 7 days | | P2 | High internal | 30 days | | P3 | Medium | 90 days | | P4 | Low | Next quarter batch | Document exceptions with expiry. ## Remediation options | Option | When | |--------|------| | **Upgrade** | Fix version available | | **Patch** | OS/kernel hotfix | | **Config change** | Disable feature, tighten IAM | | **WAF rule** | Temporary virtual patch | | **Accept risk** | Not reachable, business sign-off | Virtual patch ≠ permanent fix — track debt. ## Prod vs non-prod | Practice | Why | |----------|-----| | Same scan cadence prod artifacts | Prod is target | | Faster SLA prod | Higher impact | | Dev may lag slightly | But don't let gap become years | ## Emergency change process (zero-day) Example: critical OpenSSL / Log4Shell-style: 1. Threat intel → activate war room 2. Inventory affected ([SBOM](../06-bezopasnost-koda/sca-zavisimosti.md)) 3. Emergency patch window bypass normal release 4. Verify + monitor 5. Post-incident VM report ## Metrics & reporting | Metric | Audience | |--------|----------| | Open critical count | Engineering + exec | | MTTR by severity | Process health | | SLA breach count | Risk acceptance drift | | % assets scanned | Coverage | | Recurring CVE classes | Training need | Monthly security review: trend, not just snapshot. ## Tooling integration ``` SCA/SAST/Container → DefectDojo / Jira ↓ Priority engine ↓ Owner assignment (CODEOWNERS) ↓ CI re-scan closes ticket ``` Auto-close when scan clean prevents stale tickets. ## Ownership Every finding needs **owner team** — not «security team». | Asset | Owner | |-------|-------| | Service `payments-api` | Team Payments | | Shared base image | Platform | | Terraform modules | Infra | Unowned findings rot. ## Compliance mapping | Framework | VM expectation | |-----------|----------------| | ISO 27001 | Documented process, evidence | | SOC2 | Vuln scan + remediation tracking | | PCI-DSS | Quarterly external scan + fixes | Reports export from ticket system + scan history. ## Anti-patterns | Anti-pattern | Result | |--------------|--------| | Scan without remediation SLA | Infinite backlog | | Close ticket without rescan | False fixed | | Ignore runtime (only SCA) | Misconfig in prod | | CVSS 10 everything P0 | Burnout, real P0 lost | ## VM program checklist - [ ] All prod services in scan scope - [ ] Weekly/monthly scan schedule automated - [ ] Prioritization rubric documented - [ ] SLAs agreed with engineering leads - [ ] Exception register with expiry - [ ] Emergency zero-day playbook linked to [IR](incident-response.md) - [ ] Executive dashboard monthly ## Связь с полным DevSecOps циклом | Stage | VM activity | |-------|-------------| | Design | Threat model drives focus areas | | Build | SCA/SAST find early | | Deploy | Image/IaC scan gate | | Run | External scan, intel, IR for active vulns | | Improve | Post-mortem updates VM priorities | --- ## Самопроверка 1. Опишите VM lifecycle своими словами. 2. Почему CVSS 9.1 не всегда P0? 3. Чем virtual patch отличается от upgrade? 4. Зачем auto-close ticket после clean rescan? ## Дальше Раздел 08 завершён. Вы прошли блок **05–08** курса DevSecOps. Вернитесь к [главной карте](../README.md) для других разделов или повторите слабые темы через **Самопроверку** на каждой странице.