Information sources to support cybersecurity vulnerability discovery are identified, at least in an ad hoc manner
Context and Guidance: Information about potential vulnerabilities is available from a wide variety of internal and external sources, such as CISA, appropriate ISACs, industry associations, vendors, federal briefings, and internal assessments. Internal sources typically provide information about vulnerabilities that are unique to the organisation and range across all asset types. These sources may provide information about vulnerabilities that the organisation has observed or that have been exploited, resulting in disruption to the organisation. External or public sources typically provide information that is focused on common technologies that are used by a wide range of organisations.
Vulnerabilities in the traditional sense include software bugs, omission errors, poor code construction, poor configuration, or processing failures. However, other risk exposures can create vulnerabilities that should be identified, processed, and responded to in a similar manner as vulnerabilities that are, for example, reported by software vendors or included in vulnerability catalogs. These types of vulnerabilities might include poor process performance, insider threats, and internal audit findings. These types of vulnerabilities should be included when considering identification of sources for vulnerability discovery. The identified sources of vulnerability information should align with the organisation’s vulnerability identification and analysis needs.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: THREAT-1a, THREAT-1e, THREAT-1j.