We imagine that Grammarly’s customers ought to have transparency into how their information is protected. One of many predominant ways in which we shield customers is by catching and resolving vulnerabilities in our methods earlier than attackers can exploit them. On this publish, we’ll share how our vulnerability administration program at Grammarly retains our improvement pipeline and person information safe.
Assembly the vulnerability administration problem at Grammarly
Lately, we’ve invested significantly in our vulnerability administration program. Beforehand, like many different firms, we relied on a number of vulnerability platforms to automate our safety assessments. Every device had a distinct person interface and console, and the outcomes of those separate instruments offered a fragmented view that we would have liked to consolidate manually. At instances, after detecting a vulnerability, we encountered delays in addressing it on account of challenges in figuring out the best contacts for remediation and assessing its potential affect.
Prioritizing which vulnerabilities to handle first additionally posed challenges. The Frequent Vulnerability Scoring System (CVSS) supplies a standardized means of scoring vulnerabilities and affords mitigation components, like Temporal and Environmental scores, that contextualize them additional. Nonetheless, it’s essential to interpret these scores within the context of your group’s distinctive surroundings, belongings, and threat urge for food, as the seller can’t transcend the bottom rating and doesn’t have sufficient information or capabilities to automate setting the Temporal or Environmental rating. As an example, a vulnerability like CVE-2021-4428 – Log4j, which has the very best base rating of 10, would usually require a excessive precedence for remediation, however the precedence could also be decrease for a back-end system with minimal entry. To grasp the true precedence of every case, we have to use the CVSS rating as an preliminary indication of the vulnerability’s severity, which might then be mixed with different contextual and environmental components to find out its precise threat and prioritization.
We created a customized vulnerability information ingestion and prioritization workflow to acquire a consolidated view of vulnerabilities and higher prioritize our remediation efforts. Consequently, safety engineers at Grammarly can now get hold of essential context on our asset publicity, enterprise roles, and the sorts of information being affected. Utilizing this info, we will prioritize our efforts extra successfully and quickly scale back threat.
The subsequent part will present how we achieved this in additional element.
How we assess, prioritize, and remediate vulnerabilities
We’re constantly conducting rolling assessments of our improvement infrastructure and pipeline. That is mandatory as a result of new vulnerabilities in cloud methods, open-source methods, working methods, and improvement instruments come up each day.
“Work on what issues” is one in every of our most necessary tenets as a safety workforce. After we detect a vulnerability, we don’t simply take a look at the instant publicity and severity rating—we perceive the complete context to ensure we’re prioritizing successfully. This implies modeling the next:
- Assault paths: An assault path is a sequence of factors that attain an asset of worth, equivalent to buyer information. We take a look at what gadgets or methods can work together with the affected service to find out if there are high-risk assault paths uncovered by this vulnerability.
- Information criticality: Information regulated by business, authorities, or our inside coverage mandates is of the utmost significance to guard.
- Safety intelligence: We constantly establish adversaries, examine their assault strategies, and replay these strategies inside the environment. This lets us be taught their techniques, strategies, and procedures (TTPs). We correlate TTPs with our vulnerability reviews to grasp which vulnerabilities reside in methods that attackers are probably to attempt to exploit.
Relating to remediation, we work on updating and patching our methods and automating duties every time possible. As an example, if a vulnerability is introduced in one of many developer libraries our groups use, we’ll immediately improve our groups’ libraries to the identical model for everybody. If a susceptible library or different part seems in a container, we’ll replace the bottom container picture and eradicate the problem systemwide at scale.
As well as, we preserve an correct and up-to-date stock of inside belongings and their homeowners. This helps us interact with the best folks to make fixes in minutes or seconds.
Metrics, dashboards, and the way Grammarly constantly improves our vulnerability administration program
Measurement is essential to enchancment, and we’ve centered our vulnerability administration program round a core set of metrics:
- Imply time to find: Time from detecting the place a vulnerability is in our system to publicly documenting it
- Protection: The portion of our improvement surroundings that we’re masking
- Scan failures: How usually do our scans fail (error, crash, time-out, damaged configuration, unsupported expertise, and so forth.)?
- Unhealthy Tickets: Variety of tickets not assembly our high quality requirements, that are (1) will need to have an proprietor, (2) will need to have a severity, (3) will need to have a due date
- False Positives: We monitor false optimistic charges and hold them beneath 30%. Why not zero? We fear about false negatives.
- Imply time to repair: Time from discovering a vulnerability to completely resolving it (together with rolling out the repair)
- Out of SLA: We monitor for points that exceed our imply time to repair for Crucial (14 days) and Excessive (30 days).
It’s one factor to trace these metrics, however one in every of our tenets is that we’re by no means executed bettering. For this reason we take a look at our key metrics each week, analyze what has modified for higher or worse, and brainstorm methods we could be higher. We actively look at our information to be taught from previous conditions and enhance our instruments and processes.
Lastly, in order that the suitable stakeholders at all times have entry to the best vulnerability administration info, we offer dashboards tailor-made to completely different roles:
- Safety management: We offer safety leaders with a high-level overview of the standing of our program. This contains the variety of vulnerabilities uncovered in our assessments, the proportion of these which have been remediated, and traits over time.
- Engineering management: We offer engineering leaders with insights on the state of safety of their house, together with an inventory of safety vulnerabilities to resolve, upcoming and present out-of-SLA points, and their workforce remediation velocity.
- Engineers: We offer workforce members with information related to their position, equivalent to a prioritized manifest of vulnerabilities assigned to them and auto-remediation code modifications they should approve.
We’re happy with how far we’ve include our vulnerability administration program. The work is ongoing as we constantly assess our methods for brand new vulnerabilities, prioritize the ensuing updates, and validate that patches are in place. As well as, we always measure how nicely we’re doing to establish methods we will enhance.
Managing vulnerabilities is a undertaking that’s by no means executed, and it’s one other instance of how we attempt day-after-day to stay as much as our customers’ belief in Grammarly. If that mission resonates with you, try our open roles and contemplate becoming a member of Grammarly right now.