As vulnerability assessments continue from quarter to quarter, some vulnerabilities seem to appear, disappear, and reappear again. Some appear that were never seen before, despite the fact the affected software has been in use for over a year. If you’re in charge of remediating these vulnerabilities, you may be left scratching your head in puzzlement. Was the vulnerability remediated? Was it reintroduced to the environment? Did the scanning tool fail to catch it in a particular quarter? The short answer is yes. The long answer?
Vulnerabilities can appear and disappear for a variety of reasons. Sometimes vulnerabilities will disappear due to being remediated, even if the remediation is unintentional. For example, a code-related vulnerability from last quarter doesn’t appear in this quarter’s scan. When you congratulate the development team on fixing the issue, they say “What? Sorry, we haven’t gotten around to fixing that one yet.” What happened? The server team applied a patch to the OS of the server the application was running on; the patch added new security functionality that unintentionally also fixed the code-related vulnerability, but no one realized it happened. Next quarter, the server team has rolled back the patch due to issues with a separate legacy application, and the vulnerability appears again. The next quarter, the server team turns off the affected server for maintenance during the time it was supposed to be scanned, so once again, the vulnerability disappears from the report, and all seems well. The next quarter, the server is turned back on, the development team adds new functionality to the application that requires additional services to be run on the server, the vendor’s scanning tool receives a huge plugin update with hundreds of new checks, and one of the new checks leads the security consultant to manually discover a high-severity issue which allows the complete compromise of the server. All of a sudden, a huge blob of risk has fallen in your lap, your boss’s left eye is twitching more than it usually does, and you have no idea how to rationalize what happened, much less explain it in an easy to consume manner. What do you do? Use the abbreviated cheatsheet below, which illustrates the most common sources of vulnerabilities’ disappearing and reappearing acts:
| Source |
Vulnerability |
Trackable? |
How? |
|
|
Disappears |
Appears |
|||
| Intentional remediation of vulnerabilities |
X |
Yes | Ask owner | |
| Unintentional remediation of vulnerabilities |
X |
No | - | |
| The availability of services during scanning |
X |
Maybe | Review logs, ask owner | |
| The addition of services since the last scan |
X |
Yes | Review systems, ask owner | |
| Updates to plugins/tool set |
X |
Yes | Ask vendor | |
| Manually discovered results |
X |
Yes | Ask vendor | |
Vulnerabilities can be hard to track, but with a bit of elbow grease and a convenient table provided by a reliable, intelligent resource (cough), you can hopefully be well on your way to eradicating the mystery of the vulnerability disappearing and reappearing act.