Archive for cloud computing

DevCentral Cloud Month - Week Four

Posted in f5, big-ip, cloud computing, devcentral by psilva on June 23rd, 2017

What’s this week about?

f5dccloud17.jpgReady for another week of Cloud Month on DevCentral? Suzanne, Hitesh, Greg, Marty and Lori are ready! Last week we looked at servicessecurityautomationmigrationAnsible and other areas to focus on once you get your cloud running. We also had a cool Lightboard Lesson explaining BIG-IP in the public cloud. This week we go deeper into areas like high availabilityscalabilityresponsibilityinter-connectivity and exploring the philosophy behind cloud deployment models.

Now that we’re half-way through Cloud Month, I thought it’d be fun to share a little bit about our authors.

Suzanne Selhorn is a Sr. Technical Writer with our TechPubs team. Our Technical Communications team are responsible for many of the deployment guides you use and are also the creators of some of the awesome step-by-step technical videos featured on DevCentral’s YouTube channel. She and Thomas Stanley crafted the AWS series.

Hitesh Patel is a Sr. Solution Architect covering Cloud/DevOps. He’s one of the smartest cloud cookies we got and works with F5 customers to get a handle on their cloud deployments. He also loves karaoke.

Greg Coward is a Solution Architect on our Business Development team. The BizDev team works with our many technology partners building out joint solutions. Greg covers Microsoft and how BIG-IP plays in Azure among other solutions.

Marty Scholes is an Applications Architect with our Solutions Marketing team. Traditionally, he writes whitepapers, technical articles and helps the Marketing team understand the technical nuances of various solutions and this month he went deep into GoogleCloud deployments.

Finally, someone you probably are already familiar due to her extensive writing and expertise, F5’s Principal Technical Evangelist Lori MacVittie. User 38 on DevCentral, she is a subject matter expert on emerging technologies and how F5 fits with the internet craze these days. I’ve been fortunate to have known & worked with Lori since her early days at F5 when we were both trailblazing Technical Marketing Managers.

The DevCentral team truly appreciates their contributions to Cloud Month and encourages you to connect with them.

ps




Cloud Month on DevCentral

Posted in f5, big-ip, cloud, cloud computing, application delivery, devcentral, aws, azure by psilva on June 1st, 2017

 

#DCCloud17

dc-logo.jpgThe term ‘Cloud’ as in Cloud Computing has been around for a while. Some insist Western Union invented the phrase in the 1960s; others point to a 1994 AT&T ad for the PersonaLink Services; and still others argue it was Amazon in 2006 or Google a few years later. And Gartner had Cloud Computing at the top of their Hype Cycle in 2009.

No matter the birth year, Cloud Computing has become an integral part of an organization’s infrastructure and is not going away anytime soon. A 2017 SolarWinds IT Trends report says 95% of businesses have migrated critical applications to the cloud and F5's SOAD report notes that 20% of organizations will have over half their applications in the cloud this year. It is so critical that we’ve decided to dedicate the entire month of June to the Cloud.

We’ve planned a cool cloud encounter for you this month. We’re lucky to have many of F5’s Cloud experts offering their 'how-to' expertise with multiple 4-part series. The idea is to take you through a typical F5 deployment for various cloud vendors throughout the month. Mondays, we got Suzanne Selhorn & Thomas Stanley covering AWS; Wednesdays, Greg Coward will show how to deploy in Azure; Thursdays, Marty Scholes walks us through Google Cloud deployments including Kubernetes.

But wait, there’s more!

On Tuesdays, Hitesh Patel is doing a series on the F5 Cloud/Automation Architectures and how F5 plays in the Service Model, Deployment Model and Operational Model - no matter the cloud and on F5 Friday #Flashback starting tomorrow, we’re excited to have Lori MacVittie revisit some 2008 #F5Friday cloud articles to see if anything has changed a decade later. Hint: It has…mostly. In addition, I’ll offer my weekly take on the tasks & highlights that week.

Below is the calendar for DevCentral's Cloud Month and we’ll be lighting up the links as they get published so bookmark this page and visit daily! Incidentally, I wrote my first Cloud tagged article on DevCentral back in 2009. And if you missed it, Cloud Computing won the 2017 Preakness. Cloudy Skies Ahead!

June 2017

 

Monday

Tuesday

Wednesday

Thursday

Friday

 

28

29

30

31

1

Cloud Month Intro & Calendar

2

Flashback Friday: The Many Faces of Cloud

Lori MacVittie

3

4

5

Successfully Deploy Your Application in the AWS Public Cloud

Suzanne Selhorn

6

Cloud/Automated Systems need an Architecture

Hitesh Patel

7

The Hitchhiker’s Guide to BIG-IP in Azure

Greg Coward

8

Deploy an App into Kubernetes in less than 24 Minutes

Marty Scholes

9

F5 Flashback Friday: The Death of SOA Has (Still) Been Greatly Exaggerated

-Lori

10

11

12

Secure Your New AWS Application with an F5 Web Application Firewall

-Suzanne

13

The Service Model for Cloud/Automated Systems Architecture

-Hitesh

14

The Hitchhiker’s Guide to BIG-IP in Azure – ‘Deployment Scenarios

-Greg

15

Deploy an App into Kubernetes Even Faster (Than Last Week)

-Marty

16

F5 Flashback Friday: Cloud and Technical Data Integration Challenges Waning

-Lori

17

18

19

Shed the Responsibility of WAF Management with F5 Cloud Interconnect

-Suzanne

20

The Deployment Model for Cloud/Automated Systems Architecture

-Hitesh

21

The Hitchhiker’s Guide to BIG-IP in Azure – ‘High Availability’

-Greg

22

Deploy an App into Kubernetes Using Advanced Application Services

-Marty

23

Flashback Friday: Is Vertical Scalability Still Your Problem?

-Lori

24

25

26

​Get Back Speed and Agility of App Development in the Cloud with F5 Application Connector

-Suzanne

27

The Operational Model for Cloud/Automated Systems Architecture

-Hitesh

28

The Hitchhiker’s Guide to BIG-IP in Azure – ‘Life Cycle Management’

-Greg

29

Peek under the Covers of your Kubernetes Apps

-Marty

30

Cloud Month Wrap!

 

Titles subject to change...but not by much.

ps

 




Device Discovery on BIG-IQ 5.1

Posted in f5, big-ip, cloud computing, adc, application delivery, devcentral, aws, azure, access, big-iq by psilva on May 23rd, 2017

The first step in using a BIG-IQ to manage BIG-IP devices

BIG-IQ enables administrators to centrally manage BIG-IP infrastructure across the IT landscape.  BIG-IQ discovers, tracks, manages, and monitors physical and virtual BIG-IP devices - in the cloud, on premise, or co-located at your preferred datacenter.

Let’s look at how to get BIG-IQ 5.1 to gather the information needed to start managing a BIG-IP device. This gathering process is called Device Discovery.

To get started, the first thing is to logon to the BIG-IQ

iq2.jpg

Once in, the first thing you do is let the BIG-IQ know about the BIG-IP device that you want to manage. Here, in Device Management>Inventory>BIG-IP Devices, we’ll click Add Device.

iq3.jpg

Here we’ll need the IP address, user name and password of the device you want to manage. If the device you want to manage is part of a BIG-IP Device Service Cluster (DSC), you’ll probably want to manage that part of its configuration by adding it to a DSC group on the BIG-IQ. After selecting a DSC, tell the BIG-IQ how to handle synchronization when you deploy configuration changes so that when you deploy changes to one device, the other DSC members get the same changes. Best practice is to let BIG-IQ do the sync.

iq5.jpg

Next click Add at the bottom of the page to start the discovery process.

iq6.jpg

Once the device recognizes your credentials, it’ll prompt you to choose the services that you want to manage. You always select LTM, even if you only mange other services because the other services depend on LTM. To finish the device discovery task, click Discover.

iq7.jpg

The BIG-IQ gathers the information it needs for each of the services you requested. This first step takes only a few moments while the BIG-IQ discovers your devices. You are done with discovery once the status update reads, Complete import tasks.

iq8.jpg

Now, we need to import the service configurations that the BIG-IQ needs before we can start managing that BIG-IP device. Click the link that says, Complete import tasks.

Next, you’ll begin the process of importing the BIG-IP LTM services for this device. Just like the discovery task, you’ll import LTM first.

Click Import.

iq9.jpg

This could take a little time depending on how many LTM objects are defined on this BIG-IP device. When the import finishes, BIG-IQ will display the date and time of when the operation was completed.

iq91.jpg

Now, we repeat the process for the second service provisioned on this device.

iq92.jpg

Importing an access device like BIG-IP APM is slightly different. Part of the import task is to identify the Access Group that this device uses to share its configuration. Whether you’re adding to an existing or creating a new access group, when you’re done entering the name of the group, click Add to start the import process. Here again, the time to process depends on how many BIG-IP APM configuration objects are defined on the device.

iq93.jpg

When the BIG-IP APM services import finishes and the time completed displays, you can simply click Close to complete the task.

iq94.jpg

You can now see that the device has been added to BIG-IQ.

iq95.jpg

That’s it! Now you can start managing the BIG-IP LTM and APM object on this device. For this article, we only imported LTM and APM objects but the process is the same for all services you manage.

Thanks to our TechPubs group and watch the video demo here.

ps

Related:

What is BIG-IQ




Updating an Auto-Scaled BIG-IP VE WAF in AWS

Posted in security, f5, big-ip, cloud computing, infrastructure, waf, aws by psilva on May 23rd, 2017

Update servers while continuing to process application traffic.

Recently we've been showing how to deploy BIG-IP (and F5 WAF) in various clouds like Azure and AWS.

Today, we’ll take a look at how to update an AWS auto-scaled BIG-IP VEBIG-IP VE web application firewall (WAF) that was initially created by using this F5 github template. This solution implements auto-scaling of BIG-IP Virtual Edition (VE) Web Application Firewall (WAF) systems in Amazon Web Services. The BIG-IP VEs have the Local Traffic Manager (LTM) and Application Security Manager (ASM) modules enabled to provide advanced traffic management and web application security functionality. As traffic increases or decreases, the number of BIG-IP VE WAF instances automatically increases or decreases accordingly.

Prerequisites:

asw1.jpg

So, let’s assume you used the CFT to create a BIG-IP WAF in front of your application servers…and your business is so successful that you need to be able to process more traffic. You do not need to tear down your deployment and start over – you can make changes to your current deployment while the WAF is still running and protecting your environment.

For this article, a few examples of things you can change include increasing the throughput limit. For instance, When you first configured the WAF, you choose a specific throughput limit for BIG-IP. You can update that. You may also have selected a smaller AWS instance size and now want to choose a larger AWS instance type and add more CPU. Or, you may have set up your auto-scaling group to launch a maximum of two instances and now you want to be able to update the auto-scaling group attributes and add three.

This is all possible so let’s check it out.

The first thing we want to do is connect to one of the BIG-IP VE instances and save the latest configuration. We open putty, login and run the TMSH command (save /sys ucs /var/tmp/original.ucs) to save the UCS config file.

asw2.jpg

Then we use WinSCP to copy the UCS files to the desktop. You can use whatever application you like and copy the file wherever you like as this is just a temporary location.

asw3.jpg

Once that’s done, open the AWS Management Console and go to the S3 bucket. This bucket was created when you first deployed the CFT and locate yours.

asw456.jpg

When you find your file, click it and then click the Backup folder.

asw7.jpg

Once there, now upload the UCS file into that folder.

asw89.jpg

The USC is now in the folder.

asw91.jpg

The last step is to redeploy the CFT and change the selected options. From the main AWS Management Console, click CloudFormation, select your Stack and under Actions, click Update Stack.

asw9293.jpg

Next, you can see the template we originally deployed and to update, click Next.

asw94.jpg

Scroll down the page to Instance Configuration to change the instance type size.

asw95.jpg

Right under that is Maximum Throughput to update the throughput limit.

asw96.jpg

And a little further down under Auto Scaling Configuration is where you can update the max number of instances. When done click Next at the bottom of the page.

asw97.jpg

It’ll ask you to review and confirm the changes. Click Update.

asw9899.jpg

You can watch the progress and if your current BIG-IP VE instance is actively processing traffic, it will remain active until the new instance is ready.  Give it a little time to ensure the new instance is up and added to the auto scaling group before we terminate the other instance.

asw991.jpg

When it is done, we’ll confirm a few things.

Go to the EC2 Dashboard and check the running instances. We can see the old instance is terminated and the new instance is now available. You can also check the instance size and within the auto scaling group you can see the new maximum for number of instances.

asw99234.jpg

And we’re deployed.

You can follow this same workflow to update other attributes of your F5 WAF. This allows you to update your servers while continuing to process traffic.

Thanks to our TechPubs group, you can also watch the video demo.

ps

Related:

 




Deploying F5’s Web Application Firewall in Microsoft Azure Security Center

Posted in security, f5, big-ip, cloud, cloud computing, silva, microsoft, application delivery, waf, azure by psilva on May 9th, 2017

Use F5’s Web Application Firewall (WAF) to protect web applications deployed in Microsoft Azure.

Applications living in the Cloud still need protection. Data breaches, compromised credentials, system vulnerabilities, DDoS attacks and shared resources can all pose a threat to your cloud infrastructure. The Verizon DBIR notes that web application attacks are the most likely vector for a data breach attack. While attacks on web applications account for only 8% of reported incidents, according to Verizon, they are responsible for over 40% of incidents that result in a data breach. A 2015 survey found that 15% of logins for business apps used by organizations had been breached by hackers.

One way to stay safe is using a Web Application Firewall (WAF) for your cloud deployments.

Let’s dig in on how to use F5’s WAF to protect web applications deployed in Microsoft Azure. This solution builds on BIG-IP Application Security Manager (ASM) and BIG-IP Local Traffic Manager (LTM) technologies as a preconfigured virtual service within the Azure Security Center.

Some requirements for this deployment are:

  • You have an existing web application deployed in Azure that you want to protect with BIG-IP ASM
  • You have an F5 license token for each instance of BIG-IP ASM you want to use

To get started, log into your Azure dashboard and on the left pane, toward the bottom, you’ll see Security Center and click it.

awaf1.jpg

Next, you’ll want to click the Recommendations area within the Security Center Overview.

awaf2.jpg

And from the list of recommendations, click Add a web application firewall.

awaf3.jpg

A list of available web applications opens in a new pane. From the application list, select the application you want to secure.

awaf5.jpg

And from there click Create New. You’ll get a list of available vendors’ WAFs and choose F5 Networks.

awaf7.jpg

A new page with helpful links and information appears and at the bottom of the page, click Create.

awaf8.jpg

First, select the number of machines you want to deploy – in this case we’re deploying two machines for redundancy and high availability. Review the host entry and then type a unique password for that field. When you click Pricing Tier, you can get info about sizing and pricing. When you are satisfied, at the bottom of that pane click OK.

awaf82.jpg

Next, in the License token field, copy and paste your F5 license token. If you are only deploying one machine, you’ll only see one field. For the Security Blocking Level, you can choose Low, Medium or High. You can also click the icon for a brief description of each level. From the Application Type drop down, select the type of application you want to protect and click OK (at the bottom of that pane).

awaf83.jpg

Once you see two check marks, click the Create button.

awaf84.jpg

Azure then begins the process of the F5 WAF for your application. This process can take up to an hour. Click the little bell notification icon for the status of the deployment.

awaf8687.jpg

You’ll receive another notification when the deployment is complete.

awaf88.jpg

After the WAF is successfully deployed, you’ll want to test the new F5 WAF and finalize the setup in Azure including changing the DNS records from the current server IP to the IP of the WAF.

When ready, click Security Center again and the Recommendations panel. This time we’ll click Finalize web application firewall setup.

awaf9.jpg

And click your Web application.

awaf91.jpg

Ensure your DNS settings are correct and check the I updated my DNS Settings box and when ready, click Restrict Traffic at the bottom of the pane.

awaf92.jpg

Azure will give you a notification that it is finalizing the WAF configuration and settings, and you will get another notification when complete.

awaf93.jpg

And when it is complete, your application will be secured with F5’s Web Application Firewall.

Check out the demo video and rest easy, my friend.

ps

Related:




What is Virtual Desktop Infrastructure (VDI)

Posted in security, big-ip, cloud computing, mobile, vdi, devcentral, infrastructure, access by psilva on March 8th, 2017

devcentral_basics_article_banner.png

What is VDI?

vdicon.jpgImagine not having to carry around a laptop or be sitting in a cubicle to access your work desktop applications. Virtual desktop infrastructure (VDI) is appealing to many different constituencies because it combines the benefits of anywhere access with desktop support improvements.

Employees typically use a wide range of mobile devices from laptops to tablets and from desktops to smartphones are being used. The diversity of these mobile devices and the sheer number of them in the workplace can overwhelm IT and strain your resources.

Desktop Virtualization centralizes sets of desktops, usually in a data center or cloud environment, and then provide access to your employees whether they are in the office, at home or mobile.  VDI deployments virtualize user desktops by delivering them to distinctive endpoint devices over the network from a central location. There are many reasons why organizations deploy VDI solutions – it’s easier for IT to manage, it can reduce capital expenditures, improve security and helps companies run a ‘greener’ business.

Since users’ primary work tools are now located in a data center rather than on their own local machines, VDI can strain network resources, and the user experience can be negatively affected. Desktop virtualization is a bit more complex than server virtualization since it requires more network infrastructure, servers, server administrators, authentication systems, and storage. VDI’s effect on the network is significant; it may necessitate infrastructure changes to accommodate the large volume of client information that will be traversing the network. When a user’s desktop moves from a physical machine under the desk to the data center, the user experience becomes paramount; a poor VDI deployment will result in IT being flooded with “My desktop is too slow” calls.

DIAG-ARCH-AVAIL-16553-vdi_1_.png

Why VDI?

Mobile devices and bring your own computing are popular drivers for VDI deployments.  It enables employees to work from anywhere and simplifies/unifies desktop management, especially updating operating systems and applications.  It can lower costs, provide flexible remote access; improve security and compliance along with potentially offering organizations disaster recovery options.  It also enables employee flexibility and reduced IT risk of employee owned devices. VDI allows employees work with a wide range of devices from laptops to tablets to smartphones.  Employees can sign on from wherever they are, whenever they like and with whichever device they choose.

Deploying virtual desktops can also increase IT efficiency and reduce IT workload since the desktops are centralized.  It also benefits IT with greater access and compliance control, while at the same time, allowing employees the freedom to use their mobile device of choice. IT departments can remove obsolete versions of application software or perhaps enhance the security policy. Either way, the employee always has the most up to date desktop image.

Things to Consider

Desktop virtualization is no longer about the desktop, it’s about allowing employees desktop access from wherever they are. So things like availability, access, security, DR, authentication, storage, network latency and SSO are all areas to keep in mind when deploying a VDI solution.

VDI Providers

Some VDI solutions include VMware View, Citrix XenDesktop, and Microsoft RDS.

Next Steps

If you'd like to learn more or dig deeper into VDI, here are some additional resources:

Also, here are some other articles from the #Basics Series.

 

 

 

 




Deploy BIG-IP VE in AWS

Posted in Uncategorized, f5, big-ip, cloud, cloud computing, devcentral, aws, access by psilva on January 23rd, 2017

aws_logo.jpgCloud is all the rage these days as it has matured into a bona fide, viable option to deploy your applications. While attractive, you may also want to apply, mimic or sync your traditional data center policies like high availability, scalability and predictability in the cloud.

 




Blog Roll 2016

Posted in security, f5, big-ip, cloud computing, silva, application delivery, devcentral, infrastructure, access, iot by psilva on December 20th, 2016

dc-logo.jpgIt’s that time of year when we gift and re-gift, just like this text from last year. And the perfect opportunity to re-post, re-purpose and re-use all my 2016 entries.

After 12 years at F5, I had a bit of a transition in 2016, joining the amazing DevCentral team in February as a Sr. Solution Developer. You may have noticed a much more technical bent since then…hopefully. We completed our 101 Certification Exam this year and will be shooting for the 201 next quarter. We started highlighting our community with Featured Member spotlight articles and I finally started contributing to the awesome LightBoard Lessons series. I also had ACDF surgery this year, which is why November is so light. Thanks to the team for all their support this year. You guys are the best!

If you missed any of the 53 attempts including 7 videos, here they are wrapped in one simple entry. I read somewhere that lists in articles are good. I broke it out by month to see what was happening at the time and let's be honest, pure self-promotion. I truly appreciate the reading and watching throughout 2016.

Have a Safe and Happy New Year!

 

January

February

March

April

May

June

July

August

September

October

November

December

 

And a couple special holiday themed entries from years past.

ps

Related

 




Lightboard Lessons: SSO to Legacy Web Applications

IT organizations have a simple goal: make it easy for workers to access all their work applications from any device. But that simple goal becomes complicated when new apps and old, legacy applications do not authenticate in the same way.

In this Lightboard Lesson, I draw out how VMware and F5 helps remove these complexities and enable productive, any-device app access. By enabling secure SSO to Kerberos constrained delegation (KCD) and header-based authentication apps, VMware Workspace ONE and F5 BIG-IP APM help workers securely access all the apps they need—mobile, cloud and legacy—on any device anywhere.

 

 

Watch Now:



Managing Your Vulnerabilities

Posted in f5, big-ip, application security, cloud computing, compliance, 0day by psilva on December 9th, 2016

vuln_ahead.jpg

I recently recovered from ACDF surgery where they remove a herniated or degenerative disc in the neck and fuse the cervical bones above and below the disk. My body had a huge vulnerability where one good shove or fender bender could have ruptured my spinal cord. I had some items removed and added some hardware and now my risk of injury is greatly reduced.

Breaches are occurring at a record pace, botnets are consuming IoT devices and bandwidth, and the cloud is becoming a de-facto standard for many companies. Vulnerabilities are often found at the intersection of all three of these trends, so vulnerability and risk management has never been a greater or more critical challenge for organizations.

Vulnerabilities come in all shapes and sizes but one thing that stays constant – at least in computer security - is that a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. It is the intersection where a system is susceptible to a flaw; whether an attacker can access that flaw; and whether an attacker can exploit that flaw within the system. For F5, it means an issue that results in a confidentiality, integrity, or availability impact of an F5 device by an unauthorized source. Something that affects the critical F5 system functions - like passing traffic.

You may be familiar with CVE or Common Vulnerabilities and Exposures. This is a dictionary of publicly known information security vulnerabilities and exposures. Each vulnerability or exposure gets a name or CVE ID and allows organizations to reference it in a public way. It enables data exchange between security products and provides a baseline index point for evaluating coverage of tools and services. MITRE is the organization that assigns CVEs. There are also CVE Numbering Authorities (CNA). Instead of sending a vulnerability to MITRE for numbering, a CNA gets a block of numbers and can assign IDs as needed. The total CVE IDs is around 79,398.

Most organizations are concerned about CVEs and the potential risk if one is present in their environment. This is obviously growing with the daily barrage of hacks, breaches and information leaks. Organizations can uncover vulnerabilities from scanner results; from media coverage like Heartbleed, Shellshock, Poodle and others; or from the various security related standards, compliance or internal processes. The key is that scanning results need to be verified for false positives, hyped vulnerabilities might not be as critical as the headline claims and what the CVE might mean for your compliance or internal management.

For F5, we keep a close eye on any 3rd party code that might be used in our systems. OpenSSL, BIND or MySQL are examples. For any software, there may be bugs or researcher’s reports or even non-CVE vulnerabilities that could compromise the system. Organizations need to understand the applicability, impact and mitigation available.

Simply put: Am I affected? How bad is it? What can I do?

vuln chart

With Applicability, research typically determines if an organization should care about the vulnerability. Things like, is the version of software noted and are you running it. Are you running the vulnerable function within the software? Sometimes older or non-supported versions might be vulnerable but you’ve upgraded to the latest supported code or you are simply not using the vulnerable function at all. The context is also important. Is it being used in default, standard or recommended mode? For instance, many people don’t change the default password of their Wi-Fi device and certain functionality is vulnerable. It gets compromised and becomes part of a botnet. But if the password was changed, as recommended, and it becomes compromised some other way, then that is a different situation to address.

cvss calculator

For Impact, there are a couple ways to decide how bad it is. First, you can look at the severity of the vulnerability - is it low, medium, high or critical. You can also see if there is a Common Vulnerability Scoring System (CVSS) score tied to the vulnerability. The CVSS score can give you a gauge to the overall risk. To go a bit deeper, you can look at the CVSS Vector.

There are 3 sections to the CVSS. There are the constant base metrics covering the exploitability of the issue, the impact that it may have and the scope that it is in. There are the temporal metrics, which may change over time, giving the color commentary of the issue. And there are the environmental metrics which look at the specific, individual environment and how that is impacted. Areas explored here include things like the attack vector and complexity; whether elevated privileges are required or any user interaction along with the scope and how it affects the confidentiality, integrity and availability of the system. One can use the CVSS calculator to help determine a vector score. With a few selections you can get a base, temporal and environmental score to get an overall view of the severity. With this, you can get an understanding as to how to handle the vulnerability. Every organization has different levels of risk based on their unique situation. The vulnerability base score may have a critical listing yet based on your environmental score, the severity and risk may be nil.

Lastly, the Mitigation taken is not an exact science and truly depends on the issue and the organization’s situation. Mitigation is not necessarily prevention. For example, compensating controls, such as restricting root level access might mean that a vulnerability simply isn’t exploitable without a privileged account.

Vulnerability management and information security is about managing risk. Risk analysis, risk management, risk mitigation and what that risk means to the business. Patching a vulnerability can introduce other risks, so the old refrain of “patch your $#!+” is not the panacea we’re often led to believe. Risk is not limited to the severity of the vulnerability alone, but also to the required vector for exploiting that vulnerability where it exists within a specific organization’s infrastructure.

It’s important to understand your risk and focus on the important pieces.

ps





« Older episodes ·