Toward Programmatic Management of Vulnerability Risk

As the security team for a technology solutions provider dealing with the energy data of millions of customers, the team’s focus is on two primary objectives: build more security into the Uplight platforms and applications, and meet the responsibility of keeping customer data secure.

Uplight’s security team recognized that the vulnerability management lifecycle is key to achieve these platform and application integrity objectives - but to be more effective, would need to:

• Implement a consolidated, risk-driven model across Uplight technology operations
• Improve security efficiency by minimizing detection tool noise, and improving findings fidelity
• Incorporate business context for focused risk identification and prioritization
• Automate ticket assignment to risk finding owners in relevant downstream systems
• Standardize reporting of remediation activity for dev, engineering, and product teams
• Track and measure impact of security team for managing risk for key stakeholders

The Uplight team deployed the Silk platform, with integrations for: ingestion of data from vulnerability, cloud, and AppSec security tools; mapping of asset ownership via code repo integration, consumed asset tags, and custom asset labels; and, automation of ticketing workflows based on asset ownership.

With Silk in place, the security team set out to achieve:

• Holistic, application-tier insight into security findings, asset linkings, and asset owner
• Streamlined risk assessment with findings consolidation, asset context, and severity scoring
• Automated ownership assignment via asset-based rules, and ongoing asset coverage tracking
• Focus on high-impact fixes via root cause analysis and application-tier context
• Automated ticket assignment using organizational, asset ownership rules
• Shift to programmatic and formalized security strategy across the business