CN117407887A - Vulnerability management method, device, system and storage medium - Google Patents

Vulnerability management method, device, system and storage medium Download PDF

Info

Publication number
CN117407887A
CN117407887A CN202311509695.1A CN202311509695A CN117407887A CN 117407887 A CN117407887 A CN 117407887A CN 202311509695 A CN202311509695 A CN 202311509695A CN 117407887 A CN117407887 A CN 117407887A
Authority
CN
China
Prior art keywords
vulnerability
information
release
module
list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311509695.1A
Other languages
Chinese (zh)
Inventor
张嘉鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Spreadtrum Communications Tianjin Co Ltd
Original Assignee
Spreadtrum Communications Tianjin Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Spreadtrum Communications Tianjin Co Ltd filed Critical Spreadtrum Communications Tianjin Co Ltd
Priority to CN202311509695.1A priority Critical patent/CN117407887A/en
Publication of CN117407887A publication Critical patent/CN117407887A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/30Computing systems specially adapted for manufacturing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The embodiment of the invention provides a vulnerability management method, a device, a system and a storage medium, wherein the method comprises the following steps: based on the loophole synchronization stage, acquiring at least one loophole information; obtaining an approval result corresponding to each piece of vulnerability information according to at least one piece of vulnerability information; based on the loophole pre-release stage, acquiring an approval list according to at least one approval result; based on the loophole feedback stage, responding to the sending operation input by the loophole manager, sending the loophole release list corresponding to the approval list to the release system, thereby constructing a canonical management system, centralizing the loophole management flow, establishing a unified management mechanism and reducing manual careless mistakes; the vulnerability management flow can not depend on manual or personal experience, does not generate a great deal of repeated manual labor, forms a standardized management mechanism and workflow, and improves the processing efficiency.

Description

Vulnerability management method, device, system and storage medium
Technical Field
The present invention relates to the technical field of vulnerability management, and in particular, to a vulnerability management method, device, system and storage medium.
Background
The current security vulnerability processing flow is a flow which adopts manual synchronization of security vulnerability information and is managed in a mode that a plurality of parties commonly maintain a public existence l file, and the vulnerability processing flow is also in a stage of manual analysis and manual management, has extremely low processing efficiency and is extremely easy to cause careless mistakes.
Disclosure of Invention
In view of the above, the present invention provides a vulnerability management method, device, system and storage medium, so as to solve the problems of the prior art that the vulnerability processing flow is still in the stage of manual analysis and manual management, the processing efficiency is extremely low, and the vulnerability is extremely prone to occurrence of careless mistakes.
In a first aspect, an embodiment of the present invention provides a method, including:
based on the loophole synchronization stage, acquiring at least one loophole information;
obtaining an approval result corresponding to each piece of vulnerability information according to at least one piece of vulnerability information;
based on the loophole pre-release stage, acquiring an approval list according to at least one approval result;
and based on the loophole returning stage, responding to the sending operation input by the loophole manager, and sending the loophole release list corresponding to the approval list to the release system.
In a possible implementation manner, the obtaining, according to at least one piece of vulnerability information, an approval result corresponding to each piece of vulnerability information includes:
based on a vulnerability retest stage, responding to the operation of the vulnerability manager for reapplying the vulnerability environment according to the vulnerability information input, sending the reappeared vulnerability environment to a vulnerability resolution system, and responding to the dividing operation input by the vulnerability manager to determine the category of a vulnerability module corresponding to the vulnerability information;
Based on a vulnerability resolution stage, responding to a vulnerability data information filling template configured by a project manager corresponding to the vulnerability module category, and generating vulnerability accessory information according to operations input by a developer and the vulnerability data information filling template;
based on a vulnerability auditing stage, responding to an auditing passing operation input after the project manager audits the vulnerability affiliated information, and acquiring a first state of the vulnerability resolution system and a second state of the vulnerability affiliated information;
and based on the first state being a solving state and the second state being a finishing state, confirming that the approval result corresponding to the vulnerability information is a meeting condition result.
In one possible implementation manner, after the generating the vulnerability attachment information, the method further includes:
and executing the vulnerability-based solution stage in response to the input verification failing operation after the project manager verifies the vulnerability affiliated information, and generating vulnerability affiliated information in response to the vulnerability data information filling template configured by the project manager corresponding to the vulnerability module category according to the input operation of the research personnel and the vulnerability data information filling template.
In a possible implementation manner, the obtaining, according to at least one piece of vulnerability information, an approval result corresponding to each piece of vulnerability information includes:
based on a vulnerability retest stage, responding to the operation of the vulnerability manager for reapplying the vulnerability environment according to the vulnerability information input, sending the reappeared vulnerability environment to a vulnerability resolution system, and responding to the dividing operation input by the vulnerability manager to determine the category of a vulnerability module corresponding to the vulnerability information;
based on a vulnerability resolution stage, responding to a project manager which corresponds to the vulnerability module category and does not configure a vulnerability data information filling template, and generating vulnerability default information according to operations input by a developer and the acquired vulnerability default information template;
based on a vulnerability auditing stage, responding to an auditing operation initiated by the vulnerability manager, and acquiring an auditing result input after the vulnerability auditing group audits the vulnerability default information;
responding to the review result as a review passing result, and acquiring a first state of the vulnerability resolution system and a second state of the vulnerability affiliated information;
and based on the first state being a solving state and the second state being a finishing state, confirming that the approval result corresponding to the vulnerability information is a meeting condition result.
In one possible implementation manner, after the obtaining the review result input after the vulnerability review group reviews the vulnerability default information, the method further includes:
and executing the vulnerability-based solution stage in response to the review result being a review failed result, and generating vulnerability default information according to operations input by developers and the acquired vulnerability default information template in response to the project manager corresponding to the vulnerability module category not configuring the vulnerability data information filling template.
In one possible implementation manner, the obtaining an approval list according to at least one approval result includes:
responding to a formulated list operation input by a project manager corresponding to at least one vulnerability module category, and generating a pre-release vulnerability list corresponding to each vulnerability module category according to the obtained target vulnerability pre-release information corresponding to at least one vulnerability module category, wherein an approval result corresponding to the target vulnerability pre-release information is a condition meeting result;
generating at least one pre-release list according to the obtained vulnerability disclosure identification code corresponding to each piece of target vulnerability pre-release information and at least one pre-release vulnerability list, wherein the pre-release list comprises target vulnerability pre-release information corresponding to the vulnerability module category and the vulnerability disclosure identification code corresponding to each piece of target vulnerability pre-release information;
Updating at least one of the pre-release listings in response to a tagging operation entered by a third party system interface person on at least one of the pre-release listings;
and responding to the ending of the input of the vulnerability manager to at least one pre-release list auditing operation, and generating the approval list according to the at least one pre-release list after auditing.
In one possible implementation, the approval list includes at least one approved pre-release list, and the pre-release list includes at least one target vulnerability pre-release information; the step of responding to the sending operation input by the vulnerability manager, before sending the vulnerability release list corresponding to the approval list to the release system, further comprises:
obtaining vulnerability release information corresponding to at least one target vulnerability pre-release information according to at least one approved pre-release list;
and generating the vulnerability release list according to at least one piece of vulnerability release information.
In a second aspect, an embodiment of the present invention provides a vulnerability management device, where the vulnerability management device includes a vulnerability collection module and a vulnerability pre-publishing module;
the vulnerability collection module is used for acquiring at least one piece of vulnerability information based on a vulnerability synchronization stage; obtaining an approval result corresponding to each piece of vulnerability information according to at least one piece of vulnerability information;
The vulnerability pre-release module is used for acquiring an approval list according to at least one approval result based on a vulnerability pre-release stage; and based on the loophole returning stage, responding to the sending operation input by the loophole manager, and sending the loophole release list corresponding to the approval list to the release system.
In a third aspect, an embodiment of the present application provides a computer readable storage medium, where the computer readable storage medium includes a stored program, where when the program runs, the program controls a device in which the computer readable storage medium is located to execute the method of any one of the first aspects.
In a fourth aspect, an embodiment of the present application provides a vulnerability management system, including a memory for storing computer program instructions and a processor for executing the program instructions, wherein the computer program instructions, when executed by the processor, cause the vulnerability management system to perform the method of any one of the first aspects.
By adopting the vulnerability management method, device, system and storage medium provided by the embodiment of the invention, at least one vulnerability information is acquired based on the vulnerability synchronization stage; obtaining an approval result corresponding to each piece of vulnerability information according to at least one piece of vulnerability information; based on the loophole pre-release stage, acquiring an approval list according to at least one approval result; based on the loophole feedback stage, responding to the sending operation input by the loophole manager, sending the loophole release list corresponding to the approval list to the release system, thereby constructing a canonical management system, centralizing the loophole management flow, establishing a unified management mechanism and reducing manual careless mistakes; the vulnerability management flow can not depend on manual or personal experience, does not generate a great deal of repeated manual labor, forms a standardized management mechanism and workflow, and improves the processing efficiency.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of a vulnerability management device according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a vulnerability management system according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a life cycle state according to an embodiment of the present invention;
FIG. 4 is a flowchart of a vulnerability management method according to an embodiment of the present invention;
FIG. 5 is a flowchart of vulnerability processing provided by an embodiment of the present invention;
FIG. 6 is a flowchart for obtaining approval results according to an embodiment of the present invention;
FIG. 7 is a flowchart of another method for obtaining approval results according to an embodiment of the present invention;
FIG. 8 is a flowchart of obtaining an approval list according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a vulnerability management system according to an embodiment of the present invention.
Detailed Description
For a better understanding of the technical solution of the present invention, the following detailed description of the embodiments of the present invention refers to the accompanying drawings.
It should be understood that the described embodiments are merely some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be understood that the term "and/or" as used herein is merely one way of describing an association of associated objects, meaning that there may be three relationships, e.g., a and/or b, which may represent: the first and second cases exist separately, and the first and second cases exist separately. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
Fig. 1 is a schematic structural diagram of a vulnerability management device provided by the present invention, where, as shown in fig. 1, the vulnerability management device includes a vulnerability collection module 1 and a vulnerability pre-publishing module 2. The vulnerability collection module 1 is connected with the vulnerability pre-release module 2.
The vulnerability collection module 1 is used for acquiring at least one piece of vulnerability information based on a vulnerability synchronization stage; obtaining an approval result corresponding to each piece of vulnerability information according to at least one piece of vulnerability information; the vulnerability pre-release module 2 is used for acquiring an approval list according to at least one approval result based on a vulnerability pre-release stage; and based on the loophole returning stage, responding to the sending operation input by the loophole manager, and sending the loophole release list corresponding to the approval list to the release system.
In an embodiment of the present invention, the vulnerability information of the vulnerability includes at least one of important information fields such as a vulnerability name, a vulnerability Summary (Summary), a vulnerability influence range, a vulnerability influence level, a general defect enumeration (Common Weakness Enumeration, CWE) number, a general vulnerability scoring system (Common Vulnerability Scoring System, CVSS) level, and the like, and the vulnerability information may also include other information, which is not limited in the embodiment of the present invention.
The embodiment of the invention provides a vulnerability management device, which comprises a vulnerability collection module and a vulnerability pre-release module, wherein the vulnerability collection module is used for acquiring at least one piece of vulnerability information based on a vulnerability synchronization stage; obtaining an approval result corresponding to each piece of vulnerability information according to at least one piece of vulnerability information; the vulnerability pre-release module is used for acquiring an approval list according to at least one approval result based on a vulnerability pre-release stage; based on the loophole feedback stage, responding to the sending operation input by the loophole manager, sending the loophole release list corresponding to the approval list to the release system, thereby constructing a canonical management system, centralizing the loophole management flow, establishing a unified management mechanism and reducing manual careless mistakes; the vulnerability management flow can not depend on manual or personal experience, does not generate a great deal of repeated manual labor, forms a standardized management mechanism and workflow, and improves the processing efficiency.
In one possible implementation, the vulnerability collection module 1 includes a vulnerability synchronization sub-module 11. The vulnerability synchronization sub-module 11 is configured to obtain at least one piece of vulnerability information from a vulnerability synchronization system based on a vulnerability synchronization stage; and/or, responding to the vulnerability adding operation input by the vulnerability manager, and acquiring at least one piece of vulnerability information.
In a certain embodiment of the invention, a vulnerability management device is mounted on a vulnerability management system, the vulnerability management system is in communication connection with a vulnerability synchronization system, a vulnerability synchronization sub-module 11 synchronizes vulnerability information from the vulnerability synchronization system at regular time based on unified threat management (Unified Threat Management, utm), for example, the vulnerability synchronization system comprises a vulnerability official network (hackene) system, the vulnerability synchronization sub-module 11 can automatically acquire vulnerability data issued by the hackene system based on unified threat management through a representational state transfer (Representational State Transfer, REST) application program interface (Application Programming Interface, API) interface, in order to ensure information accuracy, the vulnerability management device can perform preliminary screening and verification on the vulnerability data, synchronize the effective vulnerability data into the vulnerability management device, and define the effective vulnerability data as the vulnerability information, so that the vulnerability information can be synchronized at regular time, and the end-to-end automatic data synchronization management is realized; and the vulnerability management device opens an API interface, and can acquire vulnerability data from a third-party system through the API interface, so as to realize data intercommunication and system interconnection.
The vulnerability management device also has a self-extracting vulnerability function, and staff in the company can submit the vulnerability according to a vulnerability self-extracting template provided by the vulnerability management device through the self-extracting vulnerability function, and the vulnerability synchronization sub-module 11 responds to the filled vulnerability self-extracting template uploaded by staff in the company to generate vulnerability information; for example, the staff inside the company includes a vulnerability manager, and the vulnerability synchronization sub-module 11 obtains vulnerability information in response to operations such as the vulnerability manager manually adding vulnerability information of mail vulnerabilities or manually adding vulnerability information of Hackerone ID vulnerabilities.
Fig. 2 is a schematic diagram of a vulnerability management apparatus provided in an embodiment of the present invention, where as shown in fig. 2, a vulnerability management system is an integrated system for implementing vulnerability whole life cycle closed-loop management, data analysis and interaction with an external network, and the vulnerability management system includes a vulnerability management apparatus having nine large core modules, where the nine large core modules include a vulnerability collection module 1, a vulnerability pre-release module 2, a statistics and analysis module 3, a configuration management module 4, a workbench module 5, a multi-system interaction module 6, a timing management module 7, a monitoring service module 8 and a rights management module 9. The vulnerability management device can correspond to six large-flow stages, wherein the six large-flow stages comprise a vulnerability synchronization stage, a vulnerability retest stage, a vulnerability resolution stage, a vulnerability audit stage, a vulnerability pre-release stage and a vulnerability return stage. Each process stage may be divided into at least one lifecycle state, and the vulnerability management apparatus further corresponds to 15 lifecycle states. The 15 lifecycle states include a vulnerability synchronization state, a to-be-assigned state, a to-be-filled state, a to-be-inspected state, a to-be-filled back state, an inspected state, a Bug resolution unfilled state, a to-be-issued list state, a pre-issued state, a to-Google is state, a to-be-initiated review state, a to-be-reviewed state, a to-be-returned state, and a completed state.
Fig. 3 is a schematic diagram of a lifecycle state provided by an embodiment of the present invention, where, as shown in fig. 3, the first 14 lifecycle states of 15 lifecycle states are shown, where the completed state is not shown in fig. 3, and further, 6 big roles and the participating nodes of the 6 big roles in the task are shown, and the frames corresponding to the roles are marked, where the 6 big roles include PM, vulnerability manager, developer, vulnerability review group, google interface person and system background. The middle position of fig. 3 can see the states of 6 process stages and each process stage division, and the vulnerability synchronization stage can be divided into vulnerability synchronization states; the vulnerability retest stage can be divided into states to be allocated; the vulnerability resolution phase can be divided into states to be filled; the vulnerability auditing stage can be divided into a state to be checked, a return state filled in, a checked state and a Bug solution unfilled state; the vulnerability pre-release stage can be divided into a state to be released, a list state to be released, a pre-release state, a Google Issue state to be released, a comment state to be released and a comment state to be comment; the vulnerability feedback stage may be divided into a to-be-feedback CVE state and a completed state, where the to-be-feedback CVE state is equivalent to the to-be-feedback state. The vulnerability management device also adopts a workflow engine to realize automation of the vulnerability management process according to the dependency relationship between the process stage and the life cycle state, and complete automatic process state circulation and node task propulsion. Each life cycle state corresponds to a processing node in the workflow, and the node attribute of the processing node defines elements such as delivery tasks, time limit, notification mechanisms and the like corresponding to the life cycle state, so that the duration of each vulnerability in each state can be monitored, and once overtime, a prompt can be sent out in time, and the progress and the plan are required to be described; the administrator can view the progress of processing and the expected completion time of a certain vulnerability or a certain item at any time. The vulnerability management device can monitor and accurately control each detail of all life cycle states of the vulnerability, and the efficiency and quality of management work are greatly improved. The mapping relation between the flow state and the nodes enables the system and the device to have strong work habit management capability. The vulnerability manager can adjust the state sequence or remap nodes at any time at the interface of the process modeling to realize the rapid reconfiguration of the process, so that the vulnerability management device has higher flexibility and adaptability, and can be adjusted with time variation to better meet the management requirement.
As shown in FIG. 2, the vulnerability collection module 1 corresponds to at least one operation of synchronizing vulnerabilities, synchronizing updates, adding mail vulnerabilities, adding hackerones, associating modules, retesting information, binding existing bugs, submitting bugs, issuing default tables, module attachment table allocation, information table unification filling, issuing comments, passing rate listening and bug status listening. When the life cycle state is the vulnerability synchronization state, the vulnerability collection module 1 corresponds to at least one operation of synchronizing vulnerabilities, synchronizing updates, adding mail vulnerabilities, and adding hackerones. The vulnerability synchronization sub-module 11 is further configured to update a vulnerability information table according to the obtained at least one vulnerability information based on the vulnerability synchronization stage; and saving the vulnerability information table to a database. The vulnerability information table may be a blank table before updating the vulnerability information table, or may be a table including the obtained vulnerability information before updating the vulnerability information table, and the vulnerability collection module 1 may store the vulnerability information table in the database.
In one possible implementation, the vulnerability collection module 1 further includes a vulnerability analysis sub-module 12, a vulnerability resolution sub-module 13, and a vulnerability approval sub-module 14. The vulnerability analysis sub-module 12 is connected with the vulnerability synchronization sub-module 11 and the vulnerability resolution sub-module 13, and the vulnerability resolution sub-module 13 is connected with the vulnerability approval sub-module 14.
The vulnerability analysis sub-module 12 is configured to send the recurring vulnerability environment to the vulnerability resolution system in response to the operation of the vulnerability manager for recovering the vulnerability environment according to the input vulnerability information, and determine the category of the vulnerability module corresponding to the vulnerability information in response to the division operation input by the vulnerability manager; the vulnerability resolution sub-module 13 is configured to generate vulnerability accessory information based on a vulnerability resolution stage in response to a vulnerability data information filling template configured by a project manager corresponding to a vulnerability module category according to operations input by a developer and the vulnerability data information filling template; the vulnerability approval sub-module 14 is configured to obtain, based on a vulnerability auditing stage, a first state of the vulnerability resolution system and a second state of the vulnerability affiliated information in response to an input audit pass operation after the project manager audits the vulnerability affiliated information; and based on the first state being the solving state and the second state being the finishing state, confirming that the approval result corresponding to the vulnerability information is a meeting condition result.
In one embodiment of the invention, the vulnerability resolution system comprises a Bugzilla system, and the vulnerability management device has a one-touch submission Bug function. When the life cycle state is the state to be allocated, as shown in fig. 2, the vulnerability collection module 1 corresponds to at least one operation of a correlation module, retest information, binding an existing bug and submitting the bug, and the vulnerability manager can check the synchronized or uploaded vulnerability information through the vulnerability analysis sub-module 12, and after confirming that the information is correct, the vulnerability environment is reproduced according to the vulnerability information, the reproduced vulnerability environment is sent to the Bugzilla system, and the successfully reproduced vulnerability is subjected to the operation of classifying the vulnerability module types, and the vulnerability module types corresponding to the vulnerability are determined, so that the vulnerability is correlated with the vulnerability module types corresponding to the vulnerability. When a vulnerability manager replies a vulnerability environment according to vulnerability information through a vulnerability analysis sub-module 12, when the vulnerability has a corresponding bug, the vulnerability is indicated to belong to a repeated vulnerability, and the vulnerability manager can bind the vulnerability with the existing bug to realize the reproduction operation; and when the bug does not have a corresponding bug, creating and bug binding the bug to realize reproduction operation. The vulnerability manager can select the category of the vulnerability module corresponding to the vulnerability information according to the categories of the plurality of vulnerability modules provided by the vulnerability analysis sub-module 12; or, the vulnerability analysis sub-module 11 generates an evaluation report in response to the operation of inputting the vulnerability information after the vulnerability administrator analyzes the vulnerability information, and obtains the vulnerability module category corresponding to the vulnerability from the evaluation report. For example, the vulnerability manager needs to deeply analyze the vulnerability information, and perform association analysis on related data such as the category, level, overview, problem domain and the like of the vulnerability module to which the vulnerability belongs, so as to generate an evaluation report, where the evaluation report includes the category, repair level, influence range, vulnerability type, risk level and the like of the vulnerability module. The evaluation report may directly affect the priority of vulnerability processing.
When the life cycle state is to be filled, as shown in fig. 2, the vulnerability collection module 1 corresponds to the operation of module auxiliary table allocation or unified filling of information tables, and research and development personnel can formulate corresponding repairing schemes according to vulnerability information and vulnerability environments and aiming at different vulnerability types and risk levels, and perform vulnerability repairing work on a vulnerability resolution system to generate repairing information. The vulnerability module category corresponds to a Project Manager identification that identifies a unique Project Manager (PM). Project manager can supervise the loopholes corresponding to the categories of the loopholes modules, and project manager edits the loophole data information filling templates corresponding to the categories of the loopholes modules through the loophole collecting module 1; the vulnerability data information filling template adopts industry universal standards to generate a unified format, for example, the vulnerability data information filling template comprises key information such as vulnerability names, levels, influence versions, repair suggestions and the like, and also comprises contents such as environments, discovery processes, hazard analysis and the like for providing vulnerability generation. After the bug repair is completed, since the project manager edits the bug data information filling template for the responsible bug module category, the bug data information filling template is issued to the research and development personnel as the bug auxiliary information table, and the research and development personnel fill in and upload the bug auxiliary information table through the bug solving sub-module 13. The vulnerability accessory information can comprise a vulnerability accessory information table and repair information; the repair information comprises at least one of a repair test report, diff information, a guide book, vulnerability repair log information, a repair scheme and a verification report, so that a standard template for reporting vulnerabilities is provided, and a common industry standard is adopted for filling the vulnerability data information, so that a unified format is generated; the report bug repairing condition is normalized and high-quality; the vulnerability data information filling template effectively avoids the problems of self-defined report forms and random statements of research personnel; each vulnerability report reaches a certain depth and breadth, and the accuracy and the comprehensiveness of information are ensured; the vulnerability information format of the vulnerability data information filling template report is uniform and the quality is controllable, so that the workload and difficulty of vulnerability assessment are greatly simplified; other personnel can quickly and accurately master the characteristics and the harm of each vulnerability, and an important reference is provided for the establishment and verification of a repair scheme; the efficiency and the quality of vulnerability management are obviously improved.
When the life cycle state is the state to be checked, the PM checks the vulnerability affiliated information through the vulnerability checking sub-module 14. When the life cycle state is the checked state, the vulnerability collection module 1 correspondingly fills up the operations of issuing the review or monitoring the bug state; after the PM examines the vulnerability accessory information, the vulnerability examination and approval sub-module 14 issues a result of passing the examination and approval, and the vulnerability examination and approval sub-module 14 actively monitors the processing progress of the vulnerability solving system and/or monitors the second state of the vulnerability accessory information table based on the PM examination and approval; when the processing progress of the vulnerability solving system is monitored to be solved, determining that the first state of the vulnerability solving system is a solving state; when the first state of the vulnerability solving system is a solving state and the second state of the vulnerability affiliated information table is a completed state, determining that the approval result corresponding to the vulnerability information is a meeting condition result. For example, the Bugzilla system has a process of BugFix/Closed, which indicates that the vulnerability is resolved, and the first state is a resolved state; the vulnerability accessory information table is filled up, indicating that the second state is a completed state.
In one possible implementation manner, the vulnerability approval sub-module 14 is further configured to trigger the vulnerability resolution sub-module 13 to execute the vulnerability-based solution stage in response to the input audit failed operation after the project manager audits the vulnerability affiliated information, and to generate the vulnerability affiliated information according to the input operation of the developer and the vulnerability data information filling template in response to the vulnerability data information filling template configured by the project manager corresponding to the category of the vulnerability module.
In an embodiment of the present invention, when the life cycle status is the return filling stage, after the PM audits the detailed vulnerability accessory information provided by the researchers, the approval sub-module 14 issues the result that the audit is failed, and the developers edit and upload the vulnerability accessory information table and/or the repair information again through the vulnerability resolution sub-module 13.
In one possible implementation, the vulnerability approval sub-module 14 is further configured to perform an operation of obtaining the first state of the vulnerability resolution system and the second state of the vulnerability accessory information based on the first state being an unresolved state and/or the second state being an incomplete state.
In an embodiment of the present invention, when the life cycle state is bug solving unfilled state, it indicates that the developer has solved the bug but has not filled the bug auxiliary information table yet, and the bug approval sub-module 14 is further configured to generate reminding information to remind the developer to fill the bug auxiliary information table, so that the problem that the developer cannot timely fill the bug auxiliary information table after the developer has solved the bug information, resulting in inaccurate data in the bug auxiliary information table filled later, and provides a follow-up operation for PM to assist PM work.
In one possible implementation manner, the vulnerability analysis sub-module 12 is configured to, based on a vulnerability retest stage, respond to an operation of a vulnerability manager to revise a vulnerability environment according to input of vulnerability information, send the revise vulnerability environment to the vulnerability resolution system, and respond to a partitioning operation input by the vulnerability manager to determine a vulnerability module category corresponding to the vulnerability information; the vulnerability resolution sub-module 13 is configured to generate vulnerability default information according to operations input by developers and acquired vulnerability default information templates in response to a project manager corresponding to a vulnerability module category not configuring a vulnerability data information filling template; the vulnerability approval sub-module 14 is used for responding to the initial approval operation input by the vulnerability manager based on the vulnerability approval stage, and acquiring the approval result input after the vulnerability approval default information is approved by the vulnerability approval group; responding to the evaluation result as an evaluation passing result, and acquiring a first state of the vulnerability resolution system and a second state of vulnerability affiliated information; and based on the first state being the solving state and the second state being the finishing state, confirming that the approval result corresponding to the vulnerability information is a meeting condition result.
In a certain embodiment of the present invention, when the project manager does not edit the vulnerability data information filling template for the responsible vulnerability category, as shown in fig. 2, the vulnerability collection module 1 corresponds to at least one operation of a correlation module, retest information, binding existing bug, submitting bug, default table issuing, information table unified filling, issuing review, passing rate monitoring and bug state monitoring; the vulnerability resolution sub-module 13 provides a vulnerability default information template, and displays the vulnerability default information template as a vulnerability default information table to research and development personnel, wherein the vulnerability default information template adopts an industry universal standard to generate a unified format, for example, the vulnerability default information template can comprise critical information such as a vulnerability name, a level, an influence version, a repair suggestion and the like, and can also comprise contents such as an environment for providing vulnerability generation, a discovery process, hazard analysis and the like, and the vulnerability default information template and a vulnerability data information filling template can be the same or different. When the life cycle state is the state to be filled, the developer fills in and uploads the vulnerability defaults information table through the vulnerability solving sub-module 13. The vulnerability default information comprises a vulnerability default information table and repair information; the repair information comprises at least one of a repair test report, d iff information, a guide book, vulnerability repair log information, a repair scheme and a verification report, so that a standard template for reporting vulnerabilities is provided, and a vulnerability default information template adopts an industry universal standard to generate a unified format; the report bug repairing condition is normalized and high-quality; the vulnerability default information template effectively avoids the problems of self-defined report forms and random statements of research personnel; each vulnerability report reaches a certain depth and breadth, and the accuracy and the comprehensiveness of information are ensured; the vulnerability information format reported by the vulnerability default information template is uniform and controllable in quality, so that workload and difficulty of vulnerability assessment are greatly simplified; other personnel can quickly and accurately master the characteristics and the harm of each vulnerability, and an important reference is provided for the establishment and verification of a repair scheme; the efficiency and the quality of vulnerability management are obviously improved.
After the default information of the loopholes is summarized, when the life cycle state is the state to be checked, a loophole manager initiates checking, a loophole checking group checks the default information of the loopholes, the loophole checking group comprises at least one reviewer, each reviewer inputs checking comments to the loophole checking sub-module 14 after the checking, and the checking result comprises at least one checking comment; the vulnerability review submodule 14 is specifically configured to generate a review result score according to at least one review opinion and the number of vulnerability review groups; and determining that the review result is a review passing result based on the review result score being greater than the review result threshold. For example, the threshold of the review result is 60%, when the review results of 3 reviewers in the 5 reviewers of the vulnerability review group are the review passing results, the review results of the other two reviewers are not passed or the other two reviewers are not reviewed, the vulnerability approval sub-module 14 can actively monitor the processing process of the vulnerability resolution system and/or monitor the state of the vulnerability default information.
In the vulnerability auditing stage, the personnel responsible for auditing are required to audit the vulnerability affiliated information or vulnerability default information of at least one target vulnerability before the approval passes, and the vulnerability affiliated information or vulnerability default information provides comprehensive and accurate information for the personnel responsible for auditing, thereby being beneficial to making the decision of trade-off; personnel responsible for auditing can focus on the left or newly introduced risk points in the repairing process while submitting the result of the review, and require research and development personnel to evaluate and deal with the risk so as to achieve a controllable state; the approval checkpoint can also carry out risk management and control and requirement supplement, and the bidirectional mechanism obviously improves the institutional property and authority of network security management, ensures the accuracy and standardization of the approval result and improves the accuracy of the approval result.
In one possible implementation manner, the vulnerability approval sub-module 14 is further configured to trigger the vulnerability resolution sub-module 13 to execute a vulnerability-based solution stage in response to the review result being a review failed result, and generate vulnerability default information according to operations input by a developer and the obtained vulnerability default information template in response to a project manager corresponding to the vulnerability module category not configuring the vulnerability data information filling template.
In one possible implementation, the vulnerability approval sub-module 14 is further configured to perform an operation of obtaining the first state of the vulnerability resolution system and the second state of the vulnerability accessory information based on the first state being an unresolved state and/or the second state being an incomplete state.
In a possible implementation manner, the vulnerability pre-release module 2 is specifically configured to respond to a formulated inventory operation input by a project manager corresponding to at least one vulnerability module category, generate a pre-release vulnerability list corresponding to each vulnerability module category according to the obtained target vulnerability pre-release information corresponding to at least one vulnerability module category, where an approval result corresponding to the target vulnerability pre-release information is a condition meeting result; generating at least one pre-release list according to the obtained vulnerability disclosure identification code corresponding to each target vulnerability pre-release information and at least one pre-release vulnerability list, wherein the pre-release list comprises the target vulnerability pre-release information corresponding to the vulnerability module category and the vulnerability disclosure identification code corresponding to each target vulnerability pre-release information; updating the at least one pre-release manifest in response to a tagging operation entered by the third party system interface person on the at least one pre-release manifest; and responding to the ending input by the vulnerability manager to audit the at least one pre-release list, and generating an approval list according to the audited at least one pre-release list.
In the embodiment of the invention, the type of the vulnerability module corresponds to a project manager, the type of the vulnerability module corresponds to at least one vulnerability, when the life cycle state is the state to be issued, the vulnerability pre-issue module 2 generates a list to be issued according to the information of the target vulnerability which meets the condition result by at least one approval result corresponding to the type of the vulnerability module, the information of the target vulnerability in the list to be issued can comprise at least one of vulnerability information corresponding to the target vulnerability, vulnerability affiliated information or vulnerability default information, for example, the list to be issued comprises the vulnerability name of at least one target vulnerability, and the information of the target vulnerability in the list to be issued is not limited in the invention.
When the life cycle state is the to-be-issued list state, as shown in fig. 2, the vulnerability pre-issue module 2 corresponds to a formulated module pre-issue list operation, an item manager can execute at least one operation of checking, adding, deleting, modifying and checking on the to-be-issued list through the vulnerability pre-issue module 2, and generate target vulnerability pre-issue information of at least one target vulnerability in the to-be-issued list, wherein the target vulnerability pre-issue information comprises vulnerability affiliated information or vulnerability default information of the target vulnerability, and the target vulnerability pre-issue information can also comprise vulnerability information of the vulnerability and the like; generating a pre-release vulnerability list according to target vulnerability pre-release information of at least one target vulnerability in the to-be-released list, wherein the category of the vulnerability module corresponds to the to-be-released list and the pre-release vulnerability list.
After the pre-release vulnerability list corresponding to the vulnerability module category is released, the lifecycle state corresponding to the vulnerability is a pre-release state, and the vulnerability disclosure Identification code comprises public vulnerabilities and exposure (Common Vulnerabilities and Exposures, CVE) Identifications (IDs); the vulnerability pre-release module 2 is used for at least one operation of automatically applying CVE-ID, automatically allocating CVE-ID and uploading CVE-ID. When the CVE-ID pool meets the allocation requirement, automatically allocating CVE-IDs for at least one target vulnerability pre-release information from the CVE-ID pool by the vulnerability pre-release module 2, and generating CVE-IDs corresponding to each target vulnerability pre-release information; adding the CVE-ID corresponding to the at least one target vulnerability pre-release information to a pre-release vulnerability list, and taking the added pre-release vulnerability list as a pre-release list. When the CVE-ID pool does not meet the allocation requirement, a vulnerability manager manually applies for enough CVE-IDs through the vulnerability pre-release module 2, and manually triggers the vulnerability pre-release module 2 to automatically allocate the CVE-IDs for at least one target vulnerability pre-release information, and the vulnerability pre-release module 2 generates the CVE-IDs corresponding to each target vulnerability pre-release information; adding the CVE-ID corresponding to the at least one target vulnerability pre-release information to a pre-release vulnerability list, and taking the added pre-release vulnerability list as a pre-release list.
After the pre-release list corresponding to all the bug module types is released, the life cycle state is the state of waiting for Google issue, the bug pre-release module 2 correspondingly fills in the patch, the question (issue) and the bulletin (bulletin), the third party system interface person comprises a Google interface person, and the third party system interface person is used for screening and releasing the bug in the third party system, for example, the Google interface person can input the repair result, the question reason and the bulletin corresponding to the bug in at least one pre-release list through the bug pre-release module 2, and update at least one pre-release list.
When the life cycle state is a to-be-initiated review state, initiating editing and auditing operation on the updated at least one pre-release list and the non-updated at least one pre-release list by a vulnerability pre-release module 2 by a vulnerability manager; when the life cycle state is the state to be reviewed, the vulnerability review group can fill in review comments through the vulnerability pre-release module 2, but a vulnerability manager can manually trigger the vulnerability pre-release module 2 to finish review at any time, and the review list comprises at least one pre-release list after review, so that two review checkpoints are set in a vulnerability review stage and a vulnerability pre-release stage, and in the vulnerability pre-release stage, the vulnerability manager and the vulnerability review group are required to review vulnerability accessory information or vulnerability default information of at least one target vulnerability in the pre-release list before approval passes, and a double approval mechanism avoids subjective randomness of single approval and improves accuracy of approval results; the vulnerability affiliated information or the vulnerability default information provides comprehensive and accurate information for a vulnerability manager and a vulnerability review group, the vulnerability manager and the vulnerability review group verify the vulnerability affiliated information or the vulnerability default information according to scheme requirements, and the verification meets expected requirements through confirmation of restoration, so that hidden danger is eliminated or reduced to an acceptable degree, and the vulnerability manager and the vulnerability review group can enter the next flow node to be beneficial to making a decision of trade-off; while examining the submitted result, the vulnerability manager or vulnerability review group focuses on the left or newly introduced risk points in the repair process, and requires research and development personnel to evaluate and deal with the risk to reach a controllable state, and perform supplementary repair until hidden danger is cleared; the second-pass approval mechanism effectively ensures the accuracy and specification of the approval result; the approval checkpoints also carry out risk management and control and requirement supplement, the bidirectional mechanism obviously improves the institutional property and authority of network security management, also avoids blindness of bug repair, ensures the effectiveness of bug repair work, obviously shortens the bug repair period, enhances the repair quality and provides powerful guarantee for enterprise security.
In one possible implementation, the approval list includes at least one approved pre-release list, and the pre-release list includes at least one target vulnerability pre-release information; the vulnerability pre-release module 2 is further configured to obtain vulnerability release information corresponding to at least one target vulnerability pre-release information according to at least one approved pre-release list; and generating a vulnerability release list according to the at least one vulnerability release information.
In one embodiment of the present invention, the vulnerability feedback stage corresponds to a release stage, and the vulnerability feedback stage may be divided into a CVE state to be returned and a completed state. The vulnerability release information comprises vulnerability accessory information or vulnerability default information. The vulnerability manager can download vulnerability release information through the vulnerability pre-release module 2. The vulnerability release information may further include a credit author list corresponding to the vulnerability, where the credit author list includes at least one of an identifier of a developer, an identifier of a PM, an identifier of a vulnerability manager, an identifier of a vulnerability review group, and an identifier of a third party system interface person.
When the life cycle state is the CVE state to be returned, as shown in fig. 2, the vulnerability pre-publishing module 2 correspondingly downloads at least one operation of publishing company official network list excl, returning Hackerone, notifying Google and publishing public communication network. The vulnerability manager obtains at least one pre-release list after examination and approval through the vulnerability pre-release module 2, the pre-release list after examination and approval can also comprise at least one of content input by a third party system interface person, content edited by the vulnerability manager and audit comments input by a vulnerability review group, the vulnerability manager can respectively generate vulnerability release lists corresponding to different release systems according to vulnerability release information corresponding to at least one target vulnerability pre-release information through the at least one pre-release list after examination and approval, for example, a company officer network system, a Hackeron system, a google system and a public communication network system can respectively correspond to one vulnerability release list, and a plurality of vulnerability release lists can be the same or different. The vulnerability manager inputs a sending operation through the vulnerability pre-release module 2, sends the vulnerability release list to a release system corresponding to the vulnerability release list, and meanwhile, the vulnerability pre-release module 2 can also automatically upload vulnerability accessory information or vulnerability default information uploaded by a developer to a designated SVN path according to the influence of the vulnerability, and PM can directly access the SVN path through the vulnerability pre-release module 2 to send the vulnerability accessory information or the vulnerability default information to the release system.
In one possible implementation manner, the vulnerability pre-release module 2 is further configured to determine target completion vulnerability information corresponding to the feedback information based on the received feedback information; and determining that the target completion vulnerability information is in a completed state.
In one embodiment of the present invention, when the life cycle state is the completed state, the vulnerability pre-release module 2 sends the vulnerability release information of at least one vulnerability, and then the release system feeds back the received vulnerability release information and sends the feedback information to the vulnerability management device. After receiving the feedback information, the vulnerability pre-release module 2 confirms that the vulnerability corresponding to the feedback information is in a completed state.
In a possible implementation, the vulnerability management device further comprises a statistics and analysis module 3. The statistics and analysis module 3 has at least one of a vulnerability type statistics function, a vulnerability identification source analysis function, a vulnerability repair process analysis function, a vulnerability influence range analysis function, a vulnerability high-risk early warning function and a vulnerability influence user analysis function.
The statistics and analysis module 3 is used for counting a first vulnerability quantity of at least one vulnerability type according to at least one vulnerability information based on a vulnerability type statistics function, wherein the vulnerability information corresponds to the vulnerability type; or based on the vulnerability identification source analysis function, counting a second vulnerability quantity of at least one vulnerability source according to at least one vulnerability information, wherein the vulnerability information comprises the vulnerability source; or based on the analysis function of the vulnerability restoration process, counting the total processing time of at least one vulnerability information; or analyzing the vulnerability environment corresponding to the obtained vulnerability information based on the vulnerability influence range analysis function to generate a vulnerability influence range; or, based on the vulnerability high-risk early warning function, establishing an early warning mechanism according to the acquired at least one historical vulnerability distribution data and the repair data corresponding to the historical vulnerability distribution data; or based on the analysis function of the vulnerability influence user, generating an influence user range according to the vulnerability environment corresponding to the vulnerability information.
In one embodiment of the present invention, the statistics and analysis module 3 may obtain vulnerability information from a database. The system comprises a database, a target vulnerability pre-release information, vulnerability release information, timeliness and the like, wherein the database is used for classifying, associating and managing vulnerability information and comprises vulnerability information, vulnerability type, vulnerability module type, vulnerability affiliated information or vulnerability default information of at least one vulnerability, the target vulnerability pre-release information, the vulnerability release information, timeliness and the like, a vulnerability manager can query vulnerability information of a specified type, level, android version or chip version from the database at any time through a vulnerability management device, and the database also provides various report forms for displaying vulnerability information, management efficiency and other data for a management layer to conduct business analysis and decision; the safety management layer has clear data cognition on the safety condition, and a management opinion and a technical scheme are provided in a targeted manner. The statistics and analysis module 3 may count the number of vulnerabilities and the time efficiency. As shown in fig. 2, the statistics and analysis module 3 corresponds to at least one operation of vulnerability status statistics, vulnerability completion rate analysis, vulnerability component (component) statistics, department statistics at all levels, time-based vulnerability statistics, android (Android) or chip statistics vulnerability, vulnerability level statistics, vulnerability execution situation, version (version) or Pac statistics vulnerability, product comparison analysis, vulnerability resolution rate analysis, and development requirement addition.
The vulnerability information corresponds to a vulnerability type, which may be the same or different from the vulnerability module category, and the vulnerability type includes a memory leakage type, an authentication problem type, a remote command execution type, or the like. The statistics and analysis module 3 can count the number of vulnerabilities of different vulnerability types, so that distribution of vulnerability types can be presented, and the user can specify a targeted security policy according to the statistics result.
Vulnerability information also includes vulnerability sources including code audits, penetration tests or actual exploitation to be discovered, etc. The statistics and analysis module 3 can count the number of vulnerabilities of different vulnerability sources, so that the effectiveness of different vulnerability recognition mechanisms can be evaluated, and the user can be helped to optimize the security test scheme.
The database also includes processing times for at least one vulnerability at each flow stage and each lifecycle state. The statistics and analysis module 3 counts the time spent from the acquisition of the bug information to the completion of the bug repair, so that the efficiency of the bug repair process can be estimated, and the establishment of bug repair standards and processes is facilitated.
The vulnerability environment comprises a vulnerability attack log, and the statistics and analysis module 3 is specifically used for analyzing the vulnerability attack log and analyzing the possible influence range of the vulnerability, so that the risk of the vulnerability can be evaluated, and the user can conveniently formulate a corresponding emergency plan.
And taking the loopholes in the completed state as historical loopholes, wherein the historical loophole distribution data comprise loophole information, loophole occurrence time and the like, and the repair data comprise loophole accessory information or loophole default information. Therefore, a warning mechanism of the period and the type of the vulnerability high-incidence can be established, and the security team can prevent and detect the vulnerability high-incidence period and the type of the vulnerability high-incidence.
The vulnerability environment comprises a user log, and the statistics and analysis module 3 can analyze a user range which may be affected based on the user log attacked by the vulnerability, for example, the affected user range comprises a device with a certain version of software installed in the user device, a device with a certain function set in the user device or a device with a certain chip included in the user device, and the like, so that a part of the user devices can be reminded in a targeted manner based on the analyzed affected user range, and a user can receive the reminder and reset a security policy.
In one possible implementation, the vulnerability management system further comprises a configuration management module 4. The configuration management module 4 is used for responding to configuration operation input by a user to generate a vulnerability self-extracting template, a vulnerability default information template or a vulnerability data information filling template; alternatively, the review result threshold is set in response to a setting operation input by the user.
In a certain embodiment of the present invention, the configuration management module 4 may correspond to at least one operation of an information table template configuration, a field configuration, a review group configuration, a chip or version configuration, a CWE configuration, a CVE-ID management, a Bug template configuration, and a backhaul hackene template configuration. The user refers to staff in a company, a vulnerability manager or the PM configuration management module 4 to provide a free configuration function, and the user can freely configure templates or thresholds required by the vulnerability management device based on the vulnerability management module 4, so that the vulnerability management device can be ensured to meet the use requirements of each role under different service scenes.
In a possible implementation, the vulnerability management apparatus further comprises a workbench module 5. The workbench module 5 has at least one of a collection and calculation function of monitoring data and service indexes, a management interface and interactive design function, a multidimensional data analysis and display function and a customized data panel function.
The workbench module 5 is used for acquiring at least one vulnerability related data based on the monitoring data and the acquisition and calculation functions of the business indexes; based on at least one vulnerability related data, counting the number of key indexes; or, based on the management interface and the interaction related function, displaying an operation management interface; or based on the multidimensional data analysis and display function, analyzing monitoring and service data according to the constructed cross analysis mechanism and obtaining an analysis result; displaying a visual interface based on the analysis result; alternatively, the custom data interface is displayed in response to the user role based on the customized data panel functionality.
In a certain embodiment of the present invention, the workbench module 5 corresponds to at least one operation of a vulnerability newly added reminder, vulnerability conditions of each module, CVE-ID usage, vulnerability level distribution, annual vulnerability issue list, work dynamics, vulnerability total number display, module month issue list, and to-do reminder. The workbench module 5 realizes one-stop display and management of service operation conditions, completes integration and analysis of various monitoring data, service indexes and user feedback, and constructs a refined management interface to realize efficient man-machine interaction.
The vulnerability related data includes at least one lifecycle state corresponding to the vulnerability, the key index may include the vulnerability of which the lifecycle state corresponding to the vulnerability is a completed state, and the workbench module 5 counts the number of completed vulnerabilities; or, the key indexes comprise loopholes with lifecycle states corresponding to different PM being completed states, and the number of the completed loopholes corresponding to different PM is counted, so that the performance of PM is obtained.
The efficient visual framework and components can be added in front-end development, so that the workbench module 5 can provide an intuitive operation management interface, the operation management interface can refer to fig. 3, the operation management interface is expressed in a directed acyclic graph form, the relation and the attribute of each node are clearly displayed, the node attribute setting is refined, the management and control of each link of the process are realized, the efficiency and the quality of the process execution are greatly improved, meanwhile, the process change is very simple and convenient, the vulnerability management device has stronger adaptability, and the vulnerability management device can be adjusted at any time to adapt to the management change and the time sequence requirement; the progress of the vulnerability handling in other systems may also be checked, for example, the workbench module 5 may check the progress of the vulnerability handling in the vulnerability resolution system.
The cross analysis mechanism includes a mechanism for performing analysis based on a chip, version, platform, and the like. The workbench module 5 is used for analyzing monitoring and business data from multiple angles, wherein the monitoring and business data comprise vulnerability information, management efficiency and the like of at least one vulnerability, and a visual interface of the vulnerability is presented.
The workbench module 5 can provide customized data interfaces according to different roles and management requirements. For example, the interface of the developer may display a system jump option and a template filling option, so that the interface may jump to the vulnerability resolution system or the developer may fill in the vulnerability data information filling template or the vulnerability default information template.
In one possible implementation, the vulnerability management apparatus further comprises a multi-system interaction module 6. The multi-system interaction module 6 has at least one of a link tracking and monitoring function, a system interfacing function, a message middleware and communication mechanism function, an identity authentication and authorization function, a system topology discovery and management function, and a fault tolerance and exception handling function.
The multi-system interaction module 6 is used for realizing the transmission of link tracking information between different systems or realizing the monitoring and problem positioning of cross-system call based on the link tracking and monitoring functions; or based on the system docking function based on the open platform, realizing docking with a third party system; or based on the functions of the message middleware and the communication mechanism, realizing the cross-system communication based on the event; or based on the identity authentication and authorization function, managing the user identity and access rights of the cross-system; or, based on the system topology discovery and management function, constructing a service registration and discovery mechanism; based on a service registration and discovery mechanism, address resolution and topology management of different systems are realized; alternatively, a retry strategy and/or a duplicate access mechanism is constructed based on fault tolerance and exception handling functions.
In an embodiment of the present invention, the multisystem interaction module 6 may implement operations of data exchange and function interaction with different systems, for example, as shown in fig. 2, the multisystem interaction module 6 may implement operations of performing synchronous data, updating data or editing holes when interacting with a Hackerone system, performing operations of downloading a list excel or automatic publishing to be published when interacting with a Unisoc loophole network system, performing operations of automatically applying, manually publishing or automatically publishing when interacting with a CVE system, performing operations of notifying google to repair holes when interacting with a google official system, performing operations of submitting bug, adding bug components or closing bug when interacting with a worker system, performing operations of integrating bug patches with a Common Patch (Common Patch) when interacting with a unified threat management (Unified Threat Management, utm) system, wherein the updating refers to creating a task, the new version refers to an intelligent use case recommendation, and the iterative version refers to a regression task. Therefore, a vulnerability manager can check the processing progress of the vulnerability in different systems through the multi-system interaction module 6, find omission or difference and prompt related roles in time, thereby reducing the workload of repeated vulnerability report and repair, avoiding the phenomenon of vulnerability omission and utilizing limited human resources to the maximum extent.
The link tracking and monitoring function is based on the system joint debugging of link tracking, can ensure that link tracking information is transmitted between different systems, and realizes the monitoring and problem positioning of cross-system calling.
When implementing the system docking function based on the open platform (OpenAPI), the multi-system interaction module 6 may expose the OpenAPI to the outside through an application program interface (Application Programming Interface, API) gateway, so as to implement flexible docking with a third party system, and open a general interface specification and a data exchange format defined between different systems, where the third party system includes a google system, a public communications network system, and the like.
The message middleware and the communication mechanism function are based on cross-system communication of events, and an efficient message queue, an event bus and a remote procedure call protocol (Remote Procedure Call Protocol, RPC) framework are added to realize asynchronous communication and synchronous call between systems, and service events are transferred between different systems through the event bus to realize loose coupling communication between heterogeneous systems.
Based on the identity authentication and authorization functions, the user roles of the cross-system do not need to input login information again when the system is switched or jumped, so that the interoperability and service continuity of the user system are ensured.
The address of different systems can be resolved based on the service registration and discovery mechanism, and topology management can be realized according to the addresses of the systems.
The retry strategy supports that when the cross-system access fails, the cross-system access is performed again; the duplicate access mechanism supports duplicate cross-system access.
In a possible implementation, the vulnerability management apparatus further comprises a timing management module 7. The timing management module 7 has at least one of task definition and configuration functions, task scheduling and resource management functions, abnormality monitoring and alarm mechanism functions, task history audit and backtracking analysis functions.
The timing management module 7 is used for defining the dependency relationship and constraint conditions among the life cycle states based on the task definition and configuration functions; or based on task scheduling and resource management functions, predicting resource scheduling according to the acquired historical operation data; or based on the functions of the abnormality monitoring and alarming mechanism, an abnormality detection model is constructed according to analysis of the historical operation log; alarming the abnormal condition based on the abnormal detection model; or based on the task history audit and backtracking analysis function, recording detailed running logs corresponding to the vulnerability information.
In one embodiment of the present invention, the timing management module 7 can implement centralized management and monitoring of timing tasks, and construct a timing rule engine and a task scheduling process. As shown in fig. 2, the timing management module 7 corresponds to at least one operation of timing synchronization vulnerability, timing synchronization Bug, task out-of-period reminder, review out-of-period pass, pre-release list out-of-period reminder, pre-release list out-of-period seal, pending reminder, development requirement addition.
Based on the task definition and configuration functions, the timing management module 7 can provide a friendly visual interface, a user can realize simple and efficient task definition through the visual interface, define the dependency relationship and constraint conditions among life cycle states, and define the constraint conditions including at least one of processing logic, time constraint and deliverables of the definition nodes, so that the task is managed in a refined mode, the working progress of each processing node is accelerated, the repair period is greatly shortened, and the response speed and the response efficiency are improved.
The historical operation data comprises historical task volume scheduling, personnel allocation and the like. The timing management module 8 predicts the resource utilization requirement of the task according to the historical operation data, and realizes the advanced planning and allocation of resources.
The historical running log comprises a log of previous running of the vulnerability management device; the abnormality detection model is used for detecting the vulnerability management device, so that the abnormality of the vulnerability management device is automatically identified and alarmed, a fine monitoring rule is constructed, and the abnormality is detected and alarmed in real time.
Based on the task history audit and backtracking analysis function, the detailed running log of the recorded task can be saved to a database, so that a complete audit mechanism is constructed.
In a possible implementation manner, the vulnerability management device further comprises a monitoring service module 8; the monitoring service module 8 has at least one of a support business operation and management decision function, a detection and analysis function for user behavior, an optimization system architecture, and a product design function.
The monitoring service module 8 is used for working in a management decision function based on supporting service, and exploring a user behavior mode and a service operation rule according to the obtained user log; or based on the detection and analysis function of the user behavior, analyzing at least one of user operation track, interest preference and network environment according to the user log; recommending products to the user equipment based on at least one of user operation track, interest preference and network environment; or, based on the optimized system architecture and the product design function, analyzing the obtained system operation log to obtain an optimized point.
In an embodiment of the present invention, the monitoring service module 8 may implement collection and aggregation of metrics (meta) and logs (logs) based on various deployed detection probes and log collectors, so as to implement real-time detection of the running state, service indexes and security events of the system. As shown in fig. 2, the monitoring service module 8 may correspond to at least one operation of Bug circulation monitoring, review result monitoring, pre-release list monitoring, and unified log service.
The vulnerability information can include user logs, and the vulnerability environment can also include user logs. By analyzing the user logs, the user behavior mode and the business operation rule can be discovered, data support is provided for product iteration and operation plan specification, and the user demands and market trends can be accurately mastered.
The user log can clearly know at least one of the operation track, interest preference and network environment of the user, so that more personalized service and product recommendation can be provided for the user, and market subdivision and directional popularization can be more accurately carried out.
The defects of the system and the products can be found through continuous analysis of the system operation log, so that a research and development team can timely optimize and improve the system operation log, and the technical framework of the vulnerability management device is promoted to continuously evolve.
In a possible implementation, the vulnerability management device further comprises a rights management module 9; the rights management module 9 has at least one of a rights allocation and authorization function, a dynamic authorization function, an authentication mechanism function, an authorization management function, and a unified authentication function.
The authority management module 9 is used for setting the operation authority corresponding to the user role based on the authority allocation and authorization function; or, based on the dynamic authorization function, setting attribute information corresponding to the user role; or based on the authentication mechanism function, acquiring information of at least one system based on the acquired authentication token; or controlling the operation authority corresponding to the user based on a preset strategy and constraint conditions based on an authorization management function; or based on the unified authentication function and the acquired authentication identification, skipping the system page.
In an embodiment of the present invention, as shown in fig. 2, the rights management module 9 may operate corresponding to at least one of a role configuration, a data right, an operation right, and a role agent. The rights management module 9 can realize fine-grained rights allocation and authorization functions through a Role-based rights access control (RBAC) model, divide a vulnerability management device into various resources and rights items, authorize different roles according to a minimum rights principle, and realize segmented management of rights, so that the rights of a certain Role are prevented from being oversized, and a balancing machine for safety management is realized. The rights management module 9 may map rights with user roles based on the RBAC model, and the user may obtain corresponding rights by associating with the user roles, for example, the user roles include a vulnerability manager, PM, vulnerability review group, system background, developer, or third party system interface person, and the rights of each user role may be set as follows: 1) The vulnerability manager has the highest authority in the system and is responsible for system configuration, setting of approval flow, key data processing and the like. The vulnerability manager can configure the management flow through the flow modeling tool, and set detailed authority control and approval requirements at each flow node. 2) The PM has authority responsible for managing and advancing the vulnerability project, and the PM can be responsible for editing templates, approving relevant information of the advancing vulnerability, making a pre-release list participating in vulnerability restoration, and supervising project advancing and achievement of milestones. 3) The vulnerability review group has the authority of evaluating and controlling the vulnerability risk, members of the vulnerability review group can evaluate the risk of each vulnerability in the system, can propose the repair urgency and verification scheme, can also inspect reports about repair provided by research and development personnel, verify whether the repair scheme in the reports is feasible, and participate in checking whether the vulnerability is externally published. 4) The system background has the authority responsible for daily vulnerability management and data detection, and the system background monitors the whole flow, and converts operations such as synchronization, timing, reminding, decision, release and the like into intelligent processing of the system, so that a special person is not required to track the vulnerability, and the manpower is liberated; and the system background performs external interaction uniformly, so that the efficiency is improved. 5) The research staff has the authority of providing the bug repairing scheme and performing code repairing and self-testing work, and is responsible for reporting the repairing progress and providing the repaired report. 6) The third party system interface person has the authority to view all vulnerabilities in the pre-release state, and the third party system interface person can screen vulnerabilities needing to be released in the third party system from at least one checked vulnerability. Therefore, the authority management has higher flexibility and fineness, and can realize accurate authorization for specific business.
The RBAC model is adopted to divide the system into various resources and authority items, and different user roles are authorized according to the minimum authority principle, so that the sectional management of the authority is realized, the overlarge authority of a certain user role is avoided, and a balance mechanism for safety management is realized. The rights management module 10 adopts the RBAC model to allocate different rights and resources for six user roles, the resources are classified according to the working content, and each resource is associated with detailed rights rules. The user role is granted the necessary entitlement rules in the required resources, following the minimum entitlement rules. The RBAC model is introduced to realize the refinement control and segmentation grant of the authority, and the segmentation grant also enables the work task to be divided according to the role authority range, so that the problem of inefficiency that the work is concentrated on a certain node or person is avoided. The resource division is specific and tiny, and the authority rule covers all aspects of the system, so that the access range of each user role is tightly controlled and balanced, the balance of safety management is realized, and the accuracy and responsibility definition of authority use are ensured. Meanwhile, the association of the authority and the user roles also makes the work distribution clear and efficient. The vulnerability manager can allocate necessary authorities and works for different user roles according to the role responsibilities and project requirements of the user, so that specialization and refinement of management responsibilities are realized, the work key and time node of each role are accurately defined, repeated or missing work is effectively avoided, and the work quality and efficiency are improved. Meanwhile, the authority management mechanism ensures that the system has higher security and can properly protect sensitive data and key functions. Based on the workflow engine, the system can also set detailed approval flows and requirements for different user roles. The management work height is standardized, dynamic monitoring is realized, and deep guarantee is provided for safe and stable operation of the system.
The dynamic authorization function based on the attribute can dynamically obtain the operation authority according to the attribute information of the user. For example, the attribute information includes job level, department, and the like. The attribute information may have a correspondence relationship with the user character. When the attribute of the user is changed, the operation authority can be automatically adjusted, so that the dynamic management of the authority is realized, and the static-based authority setting of RBAC is made up.
The authentication mechanism function is implemented based on a token (token) authentication mechanism. The session management adopts a token authentication mechanism which issues an authentication token instead of a login credential, so that the session management process is simplified, a user does not need to provide login information when requesting each time, and the user experience and the system performance are improved.
The authorization management function based on the constraint can determine the authority of the user according to the preset strategy and constraint conditions, and bind the authority management with the business rules or the security requirements, thereby realizing more flexible and fine authorization management.
The unified authentication function is realized through the Open ID protocol. The OpenID protocol enables a user to use the same identifier to realize single sign-on among different systems, thereby simplifying the authentication flow of the user, improving the user experience and improving the independent authentication mechanism of the systems.
In one possible implementation manner, the vulnerability management device is further provided with a perfect data security mechanism and strategy, when the vulnerability management device is involved in data interaction with a database or other systems, an encryption algorithm is adopted to encrypt data transmitted to the database or data transmitted between systems, accurate control of the data is realized through authority refinement, and sensitive data security is ensured. For example, the vulnerability management device encrypts the data and the files and stores the encrypted data and files in the database, and SSL encryption channels are also adopted for connection with the database when the database is accessed, so that confidentiality of the data transmission process is ensured. Sensitive data and files can be encrypted and stored by adopting an asymmetric encryption algorithm (RSA), and database connection and file reading operations are monitored in real time; the system safety design accords with the network space safety related standard, a general encryption algorithm is selected and used for periodic key updating, so that accurate authorization and dynamic monitoring of data are realized, and the problems of unauthorized access and information leakage are effectively avoided. For example, the vulnerability management device can encrypt field-level data according to the attribute type of the data by adopting an attribute-based encryption technology, and only a decryption key with corresponding attribute can decrypt the field-level data, thereby realizing fine encryption and access control of the data. The vulnerability management device can also record the data access log of the user through the blockchain network by adopting the access audit based on the blockchain, so that the distributed storage and tamper resistance of the access log are realized, the data access behavior of the user is tracked in real time, and the security problems such as unauthorized access, abnormal access and the like are easy to find. Therefore, the access control of the vulnerability management device adopts an RBAC model, the access control of refined data is realized according to the role authority setting, the dynamic monitoring is carried out on sensitive data and resources, and the data is returned only through authorized access requests, so that unauthorized access behavior is prevented, the sensitive data is prevented from being read unauthorized, meanwhile, the assembly of the vulnerability management device adopts a security isolation method, only necessary communication ports are opened, the anti-interference and anti-attack capacity of the system is enhanced, and a high-strength defense line is provided for the security of the sensitive data; the method ensures that the whole system is in a controllable safety state by periodically replacing encryption keys, controlling a database connection port, monitoring a conventional network and the like, provides comprehensive safety guarantee for sensitive data and key system functions, and builds a normal, efficient and safe vulnerability management environment.
The embodiment of the invention provides a vulnerability management device, which comprises a vulnerability collection module and a vulnerability pre-release module, wherein the vulnerability collection module is used for acquiring at least one piece of vulnerability information based on a vulnerability synchronization stage; obtaining an approval result corresponding to each piece of vulnerability information according to at least one piece of vulnerability information; the vulnerability pre-release module is used for acquiring an approval list according to at least one approval result based on a vulnerability pre-release stage; based on the loophole feedback stage, responding to the sending operation input by the loophole manager, sending the loophole release list corresponding to the approval list to the release system, thereby constructing a standard management system, reducing subjective factors depending on personal judgment and experience to the maximum extent, and definitely describing roles and setting rights, so that the working key points and tasks of each role are clearer; the vulnerability management flow is concentrated, a unified management mechanism is established, vulnerability processing progress can be monitored in real time even if vulnerability management work is scattered in different systems and departments, and a large amount of repeated labor is released, so that the security management work is highly targeted and programmed, the effect of improving efficiency and management quality is achieved, meanwhile, abundant data and cases are accumulated for security management, and the follow-up work is convenient to optimize and improve.
Fig. 4 is a flowchart of a vulnerability management method according to an embodiment of the present invention, as shown in fig. 4, where the method includes:
step 101, the vulnerability management system acquires at least one piece of vulnerability information based on a vulnerability synchronization stage.
In a certain implementation manner of the embodiment of the invention, the vulnerability information comprises at least one of important information fields such as a vulnerability name, a vulnerability summary, a vulnerability influence range, a vulnerability influence grade, a CWE number, a CVSS grade and the like, and the vulnerability information can also comprise other information, and the embodiment of the invention does not limit the vulnerability information.
Step 102, the vulnerability management system obtains an approval result corresponding to each vulnerability information according to at least one vulnerability information.
In a certain implementation manner of the embodiment of the invention, a vulnerability management system responds to a reproduction operation, a filling operation and an auditing operation input by a user, and obtains an approval result corresponding to each vulnerability information according to the vulnerability information, wherein the approval result comprises a result meeting a condition.
Step 103, the vulnerability management system acquires an approval list according to at least one approval result based on a vulnerability pre-release stage.
In a certain implementation manner of the embodiment of the invention, the approval list comprises target vulnerability pre-release information and vulnerability disclosure identification codes corresponding to at least one vulnerability information.
Step 104, the vulnerability management system responds to the sending operation input by the vulnerability manager based on the vulnerability feedback stage, and sends the vulnerability release list corresponding to the approval list to the release system.
The embodiment of the invention provides a vulnerability management method, which is based on a vulnerability synchronization stage, and acquires at least one piece of vulnerability information; obtaining an approval result corresponding to each piece of vulnerability information according to at least one piece of vulnerability information; based on the loophole pre-release stage, acquiring an approval list according to at least one approval result; based on the loophole feedback stage, responding to the sending operation input by the loophole manager, sending the loophole release list corresponding to the approval list to the release system, thereby constructing a canonical management system, centralizing the loophole management flow, establishing a unified management mechanism and reducing manual careless mistakes; the vulnerability management flow can not depend on manual or personal experience, does not generate a great deal of repeated manual labor, forms a standardized management mechanism and workflow, and improves the processing efficiency.
In one possible implementation, step 101 may specifically include: the vulnerability management system acquires at least one piece of vulnerability information from the vulnerability synchronization system based on a vulnerability synchronization stage; and/or, responding to the vulnerability adding operation input by the vulnerability manager, and acquiring at least one piece of vulnerability information.
In a certain implementation of the embodiment of the present invention, fig. 5 is a flowchart of vulnerability processing provided by the embodiment of the present invention, where, as shown in fig. 5, the vulnerability processing may be divided into 6 stages, where the 6 stages include a vulnerability synchronization stage, a vulnerability retest stage, a vulnerability resolution stage, a vulnerability audit stage, a vulnerability pre-release stage and a vulnerability return stage; 6 roles can be set, wherein the 6 roles comprise a system background, a vulnerability manager, a research and development personnel, PM, google interface people and a vulnerability review group, and the system background comprises the background of the vulnerability management system. In the vulnerability synchronization stage, the system background may synchronize vulnerabilities periodically, and a vulnerability manager may manually add vulnerabilities to the vulnerability management system, e.g., the added vulnerabilities include Hackerone ID vulnerabilities and/or mail vulnerabilities. The system background updates the synchronized vulnerability information and/or the added vulnerability information to a vulnerability information table, wherein the vulnerability information table can be stored in a database, and the system background can store the vulnerability information table in the database in an encrypted mode.
In one possible implementation manner, fig. 6 is a flowchart of obtaining an approval result provided in an embodiment of the present invention, and as shown in fig. 6, step 102 may specifically include:
Step 1021, the vulnerability management system responds to the operation of the vulnerability manager according to the vulnerability information input to reproduce the vulnerability environment based on the vulnerability retest stage, sends the reproduced vulnerability environment to the vulnerability resolution system, and responds to the dividing operation input by the vulnerability manager to determine the category of the vulnerability module corresponding to the vulnerability information.
In a certain implementation manner of the embodiment of the present invention, as shown in fig. 5, in the period of vulnerability retest, a vulnerability administrator matches a vulnerability module category corresponding to a vulnerability through a vulnerability management system, and determines whether there is a bug corresponding to the vulnerability information according to the vulnerability information; when the bug has a corresponding bug, the bug administrator can bind the bug to the existing bug to reproduce the bug environment; and when the bug does not have the corresponding bug, creating and bug binding the bug to reproduce the bug environment. The vulnerability management system sends the reproduced vulnerability environment to a vulnerability solving system, wherein the vulnerability solving system is a system for solving the vulnerability by the research personnel.
Step 1022, the vulnerability management system responds to the vulnerability data information filling templates configured by the project manager corresponding to the vulnerability module category based on the vulnerability resolution stage, and generates vulnerability accessory information according to the operation input by the developer and the vulnerability data information filling templates.
In a certain implementation manner of the embodiment of the invention, the vulnerability data information filling template is used as a vulnerability affiliated information table. The vulnerability affiliated information comprises a vulnerability affiliated information table and repair information; the repair information comprises at least one of a repair test report, d iff information, a guide book, vulnerability repair log information, a repair scheme and a verification report.
As shown in fig. 5, in the stage of vulnerability resolution, the system background of the vulnerability management system determines whether the PM configures a vulnerability data information filling template corresponding to the vulnerability module class, and because each vulnerability module class can correspond to the PM, the PM can write the vulnerability data information filling template corresponding to the vulnerability module class for the vulnerability module class, but there may be a case that the PM does not write the vulnerability data information filling template corresponding to the vulnerability module class. When the system background determines that the PM configures a vulnerability data information filling template corresponding to the vulnerability module category, a developer can fill in a vulnerability affiliated information table through the vulnerability management system, take the vulnerability data information filling template as the vulnerability affiliated information table, and the developer submits the vulnerability affiliated information table to the vulnerability management system and uploads at least one of a repair test report, d iff information, a guide book, vulnerability repair log information, a repair scheme and a verification report.
Step 1023, the vulnerability management system obtains a first state of the vulnerability resolution system and a second state of the vulnerability affiliated information based on a vulnerability auditing stage in response to an input audit passing operation after the project manager audits the vulnerability affiliated information.
In a certain implementation manner of the embodiment of the present invention, as shown in fig. 5, a PM may audit vulnerability accessory information through a vulnerability management system, and when the PM audit passes, a system background may actively monitor a processing process of a vulnerability resolution system and/or monitor a second state of a vulnerability accessory information table; when the processing process of the vulnerability solving system is that the vulnerability is completed or the vulnerability is closed, the first state is a solving state; when the processing process of the vulnerability solving system is not the completion of the vulnerability or the vulnerability is closed, the first state is an unresolved state; when the vulnerability affiliated information table is completed, the second state is a completed state; and when the vulnerability affiliated information table is not completed, the second state is the incomplete state.
Step 1024, the vulnerability management system confirms that the approval result corresponding to the vulnerability information is a satisfied condition result based on the first state being a solution state and the second state being a completion state.
In a certain implementation manner of the embodiment of the present invention, as shown in fig. 5, in a vulnerability auditing stage, when the system background monitors that the first state is a solution state and the second state is a completion state, it is determined that the vulnerability has met a condition, and a stage corresponding to the vulnerability is automatically adjusted to a vulnerability pre-release stage.
In one possible implementation, step 1022 further includes: and the vulnerability management system executes a vulnerability-based solution stage based on the vulnerability auditing stage in response to the input auditing failing operation after the project manager audits the vulnerability affiliated information, and generates vulnerability affiliated information according to the input operation of the research personnel and the vulnerability data information filling template in response to the vulnerability data information filling template configured by the project manager corresponding to the vulnerability module category.
In one possible implementation, step 1023 further includes: the vulnerability management system executes a step of acquiring the first state of the vulnerability resolution system and the second state of the vulnerability affiliated information based on the first state being an unresolved state and/or the second state being an unfinished state.
In one possible implementation manner, fig. 7 is a flowchart of another method for obtaining approval results according to an embodiment of the present invention, as shown in fig. 7, step 102 may specifically include:
step 1025, the vulnerability management system responds to the operation of the vulnerability manager according to the vulnerability information input to reproduce the vulnerability environment based on the vulnerability retest stage, sends the reproduced vulnerability environment to the vulnerability resolution system, and responds to the dividing operation input by the vulnerability manager to determine the category of the vulnerability module corresponding to the vulnerability information.
In one implementation of the embodiment of the present invention, step 1025 may refer to step 1021.
Based on the vulnerability resolution stage, the vulnerability management system responds to the project manager corresponding to the vulnerability module category without configuring the vulnerability data information filling template, and generates vulnerability default information according to the operation input by the developer and the obtained vulnerability default information template.
In a certain implementation manner of the embodiment of the invention, a vulnerability default information template is used as a vulnerability default information table, and the vulnerability default information comprises a vulnerability default information table and repair information; the repair information comprises at least one of a repair test report, d iff information, a guide book, vulnerability repair log information, a repair scheme and a verification report.
As shown in fig. 5, in the stage of vulnerability resolution, the system background of the vulnerability management system determines whether the PM configures the vulnerability data information filling template corresponding to the vulnerability module class, and when the system background determines that the PM does not configure the vulnerability data information filling template corresponding to the vulnerability module class, a developer may acquire and fill in a vulnerability default information table through the vulnerability management system, and use the vulnerability default information template as the vulnerability default information table, and the developer submits the vulnerability default information table to the vulnerability management system, and also uploads at least one of a repair test report, d iff information, a guide book, vulnerability repair log information, a repair scheme, and a verification report.
Step 1027, the vulnerability management system responds to the initiated auditing operation input by the vulnerability manager based on the vulnerability auditing stage, and acquires the input auditing result after the vulnerability auditing default information of the vulnerability auditing group.
In a certain implementation manner of the embodiment of the invention, as shown in fig. 5, in a vulnerability auditing stage, a vulnerability manager initiates auditing of summarized vulnerability default information through a vulnerability management system, and a preset vulnerability auditing group carries out auditing through the vulnerability management system, so that an auditing result is input to the vulnerability management system.
In step 1028, the vulnerability management system responds to the review result as a review passing result to obtain a first state of the vulnerability resolution system and a second state of the vulnerability affiliated information.
In a certain implementation of the embodiment of the present invention, as shown in fig. 5, the system background determines whether the audit is passed based on the review result and the review result threshold; when the auditing is passed, the system background actively monitors the processing progress of the vulnerability solving system and/or monitors the second state of the vulnerability affiliated information table; when the processing process of the vulnerability solving system is that the vulnerability is completed or the vulnerability is closed, the first state is a solving state; when the processing process of the vulnerability solving system is not the completion of the vulnerability or the vulnerability is closed, the first state is an unresolved state; when the vulnerability affiliated information table is completed, the second state is a completed state; and when the vulnerability affiliated information table is not completed, the second state is the incomplete state.
Step 1029, the vulnerability management system confirms that the approval result corresponding to the vulnerability information is a meeting condition result based on the first state being a solution state and the second state being a completion state.
In certain implementation of the embodiment of the present invention, step 1029 may refer to step 1024 described above.
In one possible implementation, step 1027 further includes: and the vulnerability management system is used for executing the vulnerability-based solution stage based on the vulnerability auditing stage and responding to the fact that the review result is a review failed result, and generating vulnerability default information according to the operation input by the research personnel and the acquired vulnerability default information template in response to the fact that the project manager corresponding to the category of the vulnerability module does not configure the vulnerability data information filling template.
In one possible implementation, step 1028 further includes, after: the vulnerability management system executes a step of acquiring the first state of the vulnerability resolution system and the second state of the vulnerability affiliated information based on the first state being an unresolved state and/or the second state being an unfinished state.
In a possible implementation manner, fig. 8 is a flowchart of obtaining an approval list according to an embodiment of the present invention, and as shown in fig. 8, step 103 may specifically include:
Step 1031, the vulnerability management system responds to the formulated list operation input by the project manager corresponding to at least one vulnerability module category based on the vulnerability pre-release stage, and generates a pre-release vulnerability list corresponding to each vulnerability module category according to the obtained target vulnerability pre-release information corresponding to at least one vulnerability module category, wherein the approval result corresponding to the target vulnerability pre-release information is a condition meeting result.
In a certain implementation manner of the embodiment of the present invention, as shown in fig. 5, in a period of vulnerability pre-release, a system background automatically adds a target vulnerability meeting a condition to a to-be-released list, where each vulnerability module category corresponds to one to-be-released list, and the to-be-released list may include vulnerability information and/or vulnerability affiliated information or vulnerability information and/or vulnerability default information of the target vulnerability. The system background can automatically store the list to be distributed to the database.
PM corresponding to the vulnerability module category can check, add, delete, change or check a to-be-issued list corresponding to the vulnerability module category through the vulnerability management system, target vulnerability pre-issued information of each target vulnerability in the to-be-issued list is sorted, a pre-issued vulnerability list is generated, the target vulnerability pre-issued information can comprise vulnerability information and/or vulnerability affiliated information or vulnerability information and/or vulnerability default information, and PM submits the pre-issued vulnerability list to the vulnerability management system.
Step 1032, the vulnerability management system generates at least one pre-release list according to the obtained vulnerability disclosure identifier code corresponding to each target vulnerability pre-release information and at least one pre-release vulnerability list, where the pre-release list includes target vulnerability pre-release information corresponding to the category of the vulnerability module and vulnerability disclosure identifier codes corresponding to each target vulnerability pre-release information.
In a certain implementation manner of the embodiment of the present invention, as shown in fig. 5, the system background determines whether the CVE ID pool meets the allocation requirement; when the allocation requirement is met, the system background automatically allocates CVE ID to at least one target vulnerability in the pre-release vulnerability list; when the allocation requirement is not met, the vulnerability manager manually applies CVE ID through the vulnerability management system to enable the CVE ID to meet the allocation requirement, and the system background is manually triggered to automatically allocate the CVE ID to at least one target vulnerability in the pre-release vulnerability list. The system background adds the CVE ID corresponding to at least one target vulnerability to a pre-release vulnerability list where the target vulnerability is located, and takes the added pre-release vulnerability list as a pre-release list.
Step 1033, the vulnerability management system updates the at least one pre-release list in response to the tagging operation of the at least one pre-release list input by the third party system interface person.
In a certain implementation manner of the embodiment of the invention, information input by a third party system interface person to at least one pre-release list is used as marking information, and the marking information comprises marking results, repairing results, problem reasons, gazettes and the like corresponding to at least one target vulnerability. As shown in fig. 5, the third party interface is a google interface person,
the google interface person marks at least one pre-release list through the vulnerability management system to mark vulnerabilities needing to be released on the google, and can input repair results, problem reasons and gazettes corresponding to target vulnerabilities into the pre-release list to update the at least one pre-release list.
In step 1034, the vulnerability management system responds to the ending of the input of the vulnerability manager to audit the at least one pre-release list, and generates an approval list according to the audited at least one pre-release list.
In a certain implementation manner of the embodiment of the present invention, as shown in fig. 5, a vulnerability manager edits and initiates an audit on an updated pre-release list and an un-updated pre-release list through a vulnerability management system, a vulnerability review group may fill in audit opinions through the vulnerability management system, and the vulnerability manager may end the audit on the pre-release list at any time through the vulnerability management system, and generate an approval list according to at least one pre-release list after the audit, where the approval list includes target vulnerability pre-release information of at least one target vulnerability, and vulnerability disclosure identification codes and marking information corresponding to each target vulnerability pre-release information.
In one possible implementation, step 104 further includes, before: the vulnerability management system acquires vulnerability release information corresponding to at least one target vulnerability pre-release information according to at least one approved pre-release list; and generating a vulnerability release list according to the at least one vulnerability release information.
In a certain implementation manner of the embodiment of the present invention, as shown in fig. 5, the vulnerability issue information includes a table file. The vulnerability manager may download, in a corporate network or database, a table (existence l) file corresponding to at least one target vulnerability in the approval list and a list of credits authors, e.g., the table file includes a default information table of the vulnerability or an affiliated information table of the vulnerability, the list of credits authors including an identification of all staff involved in the vulnerability process. And generating a vulnerability release list by a vulnerability manager through the vulnerability management system according to the table file corresponding to at least one target vulnerability in the approval list and the credit author list.
In one possible implementation, step 104 further includes: the vulnerability management system determines target vulnerability information corresponding to the feedback information based on the received feedback information; and determining that the target vulnerability information is in a processing completion state.
In a certain implementation manner of the embodiment of the present invention, as shown in fig. 5, a vulnerability manager uploads a vulnerability issue list to a CVE network through a vulnerability management system; after receiving feedback information, which is sent by the CVE, aiming at any one target vulnerability in the vulnerability release list, the system background determines that the target vulnerability corresponding to the feedback information is in a completed state.
The embodiment of the invention provides a vulnerability management method, which is based on a vulnerability synchronization stage, and acquires at least one piece of vulnerability information; obtaining an approval result corresponding to each piece of vulnerability information according to at least one piece of vulnerability information; based on the loophole pre-release stage, acquiring an approval list according to at least one approval result; based on the loophole feedback stage, responding to the sending operation input by the loophole manager, and sending the loophole release list corresponding to the approval list to the release system, thereby constructing a standard management system, reducing subjective factors depending on personal judgment and experience to the maximum extent, and definitely describing roles and setting rights, so that the working key points and tasks of each role are clearer; the vulnerability management flow is concentrated, a unified management mechanism is established, vulnerability processing progress can be monitored in real time even if vulnerability management work is scattered in different systems and departments, and a large amount of repeated labor is released, so that the security management work is highly targeted and programmed, the effect of improving efficiency and management quality is achieved, meanwhile, abundant data and cases are accumulated for security management, and the follow-up work is convenient to optimize and improve.
Corresponding to the embodiment, the application also provides a vulnerability management system. Fig. 9 is a schematic structural diagram of a vulnerability management system according to an embodiment of the present invention, where the vulnerability management system 800 may include: a processor 801, a memory 802, and a communication unit 803. The components communicate via one or more buses, and those skilled in the art will appreciate that the configuration of the vulnerability management system shown in FIG. 4 is not limiting of embodiments of the present invention, and that it may be either a bus-like configuration, a star-like configuration, or include more or fewer components than shown, or a combination of certain components, or a different arrangement of components.
Wherein, the communication unit 803 is configured to establish a communication channel, so that the vulnerability management system can communicate with other devices. Receiving user data sent by other devices or sending user data to other devices.
The processor 801, which is a control center of the vulnerability management system, connects various parts of the overall vulnerability management system using various interfaces and lines, performs various functions of the vulnerability management system and/or processes data by running or executing software programs, instructions, and/or modules stored in the memory 802 and invoking data stored in the memory. The processor may be comprised of integrated circuits (integrated circuit, ICs), such as a single packaged IC, or may be comprised of packaged ICs that connect multiple identical or different functions. For example, the processor 801 may include only a central processing unit (central processing unit, CPU). In the embodiment of the invention, the CPU can be a single operation core or can comprise multiple operation cores.
The memory 802, for storing instructions for execution by the processor 801, the memory 802 may be implemented by any type of volatile or non-volatile memory device, or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic disk, or optical disk.
The execution of the instructions in memory 802, when executed by processor 801, enables vulnerability management system 800 to perform some or all of the steps of the embodiment shown in fig. 4.
In a specific implementation, the present invention further provides a computer readable storage medium, where the computer readable storage medium may store a program, where the program may include some or all of the steps in each embodiment of the vulnerability management method provided by the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), a random-access memory (random access memory, RAM), or the like.
It will be apparent to those skilled in the art that the techniques of embodiments of the present invention may be implemented in software plus a necessary general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in essence or what contributes to the prior art in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a system (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the embodiments or some parts of the embodiments of the present invention.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather to enable any modification, equivalent replacement, improvement or the like to be made within the spirit and principles of the invention. The same or similar parts between the various embodiments in this specification are referred to each other. In particular, for method embodiments and system embodiments, the description is relatively simple, as it is substantially similar to the apparatus embodiments, with reference to the description in the apparatus embodiments.

Claims (10)

1. A vulnerability management method, comprising:
based on the loophole synchronization stage, acquiring at least one loophole information;
obtaining an approval result corresponding to each piece of vulnerability information according to at least one piece of vulnerability information;
based on the loophole pre-release stage, acquiring an approval list according to at least one approval result;
and based on the loophole returning stage, responding to the sending operation input by the loophole manager, and sending the loophole release list corresponding to the approval list to the release system.
2. The method of claim 1, wherein the obtaining, according to at least one piece of vulnerability information, an approval result corresponding to each piece of vulnerability information includes:
Based on a vulnerability retest stage, responding to the operation of the vulnerability manager for reapplying the vulnerability environment according to the vulnerability information input, sending the reappeared vulnerability environment to a vulnerability resolution system, and responding to the dividing operation input by the vulnerability manager to determine the category of a vulnerability module corresponding to the vulnerability information;
based on a vulnerability resolution stage, responding to a vulnerability data information filling template configured by a project manager corresponding to the vulnerability module category, and generating vulnerability accessory information according to operations input by a developer and the vulnerability data information filling template;
based on a vulnerability auditing stage, responding to an auditing passing operation input after the project manager audits the vulnerability affiliated information, and acquiring a first state of the vulnerability resolution system and a second state of the vulnerability affiliated information;
and based on the first state being a solving state and the second state being a finishing state, confirming that the approval result corresponding to the vulnerability information is a meeting condition result.
3. The method of claim 2, wherein after generating vulnerability attachment information, further comprising:
and executing the vulnerability-based solution stage in response to the input verification failing operation after the project manager verifies the vulnerability affiliated information, and generating vulnerability affiliated information in response to the vulnerability data information filling template configured by the project manager corresponding to the vulnerability module category according to the input operation of the research personnel and the vulnerability data information filling template.
4. The method of claim 1, wherein the obtaining, according to at least one piece of vulnerability information, an approval result corresponding to each piece of vulnerability information includes:
based on a vulnerability retest stage, responding to the operation of the vulnerability manager for reapplying the vulnerability environment according to the vulnerability information input, sending the reappeared vulnerability environment to a vulnerability resolution system, and responding to the dividing operation input by the vulnerability manager to determine the category of a vulnerability module corresponding to the vulnerability information;
based on a vulnerability resolution stage, responding to a project manager which corresponds to the vulnerability module category and does not configure a vulnerability data information filling template, and generating vulnerability default information according to operations input by a developer and the acquired vulnerability default information template;
based on a vulnerability auditing stage, responding to an auditing operation initiated by the vulnerability manager, and acquiring an auditing result input after the vulnerability auditing group audits the vulnerability default information;
responding to the review result as a review passing result, and acquiring a first state of the vulnerability resolution system and a second state of the vulnerability affiliated information;
and based on the first state being a solving state and the second state being a finishing state, confirming that the approval result corresponding to the vulnerability information is a meeting condition result.
5. The method of claim 4, wherein after obtaining the review results entered after the vulnerability review group reviews the vulnerability defaults information, further comprising:
and executing the vulnerability-based solution stage in response to the review result being a review failed result, and generating vulnerability default information according to operations input by developers and the acquired vulnerability default information template in response to the project manager corresponding to the vulnerability module category not configuring the vulnerability data information filling template.
6. The method of claim 1, wherein the obtaining an approval list based on at least one approval result comprises:
responding to a formulated list operation input by a project manager corresponding to at least one vulnerability module category, and generating a pre-release vulnerability list corresponding to each vulnerability module category according to the obtained target vulnerability pre-release information corresponding to at least one vulnerability module category, wherein an approval result corresponding to the target vulnerability pre-release information is a condition meeting result;
generating at least one pre-release list according to the obtained vulnerability disclosure identification code corresponding to each piece of target vulnerability pre-release information and at least one pre-release vulnerability list, wherein the pre-release list comprises target vulnerability pre-release information corresponding to the vulnerability module category and the vulnerability disclosure identification code corresponding to each piece of target vulnerability pre-release information;
Updating at least one of the pre-release listings in response to a tagging operation entered by a third party system interface person on at least one of the pre-release listings;
and responding to the ending of the input of the vulnerability manager to at least one pre-release list auditing operation, and generating the approval list according to the at least one pre-release list after auditing.
7. The method of claim 1, wherein the approval manifest includes at least one post-approval pre-release manifest including at least one target vulnerability pre-release information; the step of responding to the sending operation input by the vulnerability manager, before sending the vulnerability release list corresponding to the approval list to the release system, further comprises:
obtaining vulnerability release information corresponding to at least one target vulnerability pre-release information according to at least one approved pre-release list;
and generating the vulnerability release list according to at least one piece of vulnerability release information.
8. The vulnerability management device is characterized by comprising a vulnerability collection module and a vulnerability pre-release module;
the vulnerability collection module is used for acquiring at least one piece of vulnerability information based on a vulnerability synchronization stage; obtaining an approval result corresponding to each piece of vulnerability information according to at least one piece of vulnerability information;
The vulnerability pre-release module is used for acquiring an approval list according to at least one approval result based on a vulnerability pre-release stage; and based on the loophole returning stage, responding to the sending operation input by the loophole manager, and sending the loophole release list corresponding to the approval list to the release system.
9. A computer readable storage medium, characterized in that the computer readable storage medium comprises a stored program, wherein the program, when run, controls a device in which the computer readable storage medium is located to perform the method of any one of claims 1 to 7.
10. A vulnerability management system comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein the computer program instructions, when executed by the processor, cause the vulnerability management system to perform the method of any one of claims 1 to 7.
CN202311509695.1A 2023-11-13 2023-11-13 Vulnerability management method, device, system and storage medium Pending CN117407887A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311509695.1A CN117407887A (en) 2023-11-13 2023-11-13 Vulnerability management method, device, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311509695.1A CN117407887A (en) 2023-11-13 2023-11-13 Vulnerability management method, device, system and storage medium

Publications (1)

Publication Number Publication Date
CN117407887A true CN117407887A (en) 2024-01-16

Family

ID=89497982

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311509695.1A Pending CN117407887A (en) 2023-11-13 2023-11-13 Vulnerability management method, device, system and storage medium

Country Status (1)

Country Link
CN (1) CN117407887A (en)

Similar Documents

Publication Publication Date Title
US6324647B1 (en) System, method and article of manufacture for security management in a development architecture framework
US7139999B2 (en) Development architecture framework
US6256773B1 (en) System, method and article of manufacture for configuration management in a development architecture framework
US6662357B1 (en) Managing information in an integrated development architecture framework
US20060155738A1 (en) Monitoring method and system
US20220391925A1 (en) Compliance management system
CN106325883A (en) Development method and system for industry business area information system
CN108683559A (en) A kind of cloud computing platform test method
US20230281109A1 (en) Debugging data privacy pipelines using sample data
US20230281342A1 (en) Granting entitlements to log data generated by a data privacy pipeline to facilitate debugging
Ahmadian et al. Privacy-enhanced system design modeling based on privacy features
Bokhari et al. A Comparative study of software requirements tools for secure software Development
Felderer et al. Evolution of security requirements tests for service–centric systems
Kudriavtseva et al. Secure software development methodologies: a multivocal literature review
US11922145B2 (en) Initiating data privacy pipelines using reusable templates
CN117407887A (en) Vulnerability management method, device, system and storage medium
Block How to Adapt and Implement a Large-Scale Agile Framework in Your Organization
CN114911773A (en) Universal meta-model design method
Wrona et al. Security accreditation and software approval with smart contracts
CN114066395A (en) Project management method and system established by combining expert database
Dai et al. A Survey of Modeling and Analysis Approaches for Architecting Secure Software Systems.
Misra et al. Software design
US11496477B2 (en) Systems and methods for onboarding and managing applications over networks
Moghaddasi A Simulation Framework for Identity and Access Management Based on Internet of Things Architecture
US11949561B2 (en) Automated preventative controls in digital workflow

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination