New vulnerabilities are emerging all the time, and it’s impossible for humans to manually – and continually – hunt the internet for vulnerability announcements. As an asset owner, you may not even be aware of the components embedded in the products you use, so you won’t know if a vulnerability announcement affects you or not.
FACT does this work for you, identifying vulnerabilities that may be present in the products you use across your operations, regardless of who the suppliers are. This analysis is performed continuously so you can avoid assigning valuable resources to this tedious task.
The Visibility Report dashboard shows you, at a glance, how many of your products are potentially affected by vulnerabilities, along with their status. From there, you’re a click away from viewing the associated files and drilling into them to view the vulnerabilities and the affected components.
If a vulnerable product is publicly disclosed (such as Log4j) and you want to know if it affects you, you can search for it and FACT will tell you which files, if any, contain it. This lets you quickly identify where the problem exists in your software ecosystem.
Suppliers using FACT can create exploit assessments to address vulnerabilities associated with their product files. The exploit assessment communicates the state of an associated vulnerability — such as whether or not their product is affected — to asset owners. You can view exploit assessments related to your submitted files when viewing the file details. As an asset owner, you do not have or need the ability to create exploit assessments for the files you have submitted to FACT.
Anatomy of a CVE
Vulnerabilities are typically registered and assigned a CVE (Common Vulnerabilities and Exposures) identifier. This ID allows suppliers, asset owners, and threat hunters to tag the flaw and communicate about it.
A CVE often has an accompanying CVSS (Common Vulnerability Scoring System) score, which indicates how critical the flaw is (the higher the number, the more critical the flaw).
The CVE may also contain CPE (Common Platform Enumeration) names, which are useful for assigning the vulnerability to assets.
Comments
Please sign in to leave a comment.