The field of the present disclosure relates to enterprise computer security and, more particularly, to computer-based methods and systems for retrieving known software vulnerability profiles (also referred to as a “CVE”) from a central repository (e.g., database) of known vulnerabilities and identifying, based on the profiles, vulnerabilities that affect a plurality of computing assets.
A vulnerability is a flaw or weakness in a computer system's design, implementation, or operation and management that could be exploited to violate the system's security policy. Vulnerabilities are generally regarded as any aspect of a system or its components (e.g., computing asset) that allows a breach of security such as, but not limited to: executing commands as another user, accessing data contrary to access restrictions; posing as another entity; and conducting a denial of service attack. The impact of a security breach can be high. For example, a security breach can violate privacy laws and regulations that require organizations to secure private data stored within a computer system from release to unauthorized users.
One way to minimize the impact of vulnerabilities on a system is to perform periodic information technology security audits of the system and its components (e.g., computing assets). This systematic technical assessment measures a system's susceptibility to vulnerabilities. Audits can include interviewing staff, manually reviewing components for known vulnerabilities, reviewing application and operating system access controls, and analyzing physical access to the system. Systems can include computing assets such as personal computers, servers, mainframes, network routers, switches and other electronics which contain or facilitate the flow of data.
Known technology security audits utilize operators to evaluate the presence of vulnerabilities in software applications installed on computing assets in a computer system. The audits are performed on an application by application basis, comparing one or more lists of known vulnerabilities to a list of installed applications. These audits are time consuming and labor intensive, resulting in an audit frequency dictated by operator availability. Also, because conventional audits are performed manually, vulnerabilities discovered since the last update to the list of known vulnerabilities go undiscovered during the audit. Accordingly, the audits are time subjective. Additionally, upon discovery of a vulnerability, the operator must ascertain the resolution and apply it manually. Thus, known technology security audits fail to provide an accurate evaluation of known vulnerabilities in the installed application base of a computer system. Moreover, these known systems are unable to provide a real-time evaluation of vulnerabilities present in the computer system or its components.
Accordingly, it is desirable to evaluate technology assets for the presence of vulnerabilities in a rapid and accurate manner, and to provide vulnerability fixes to operators to speed the resolution of vulnerabilities.