How to Achieve the Outcome You Want
These are the key takeaways from Parts 1 and 2 of your Vigiles Prime Evaluation Tutorial. They provide an overview of the big picture goals around different outcomes you might be prioritizing in your search for a CVE management tool.
See only vulnerabilities relevant to my product
Use the build integration if possible. Otherwise, use the CSV manifest option, and make sure you use good package names, include versions, include patch information, and include your kernel and U-Boot config information. This will ensure you only see vulnerabilities that apply to your system.
Get accurate information from the vulnerability database
The NVD is a great resource. But the data listed can have some shortcomings. Inconsistent naming of packages, typos in versions, incorrect coverage for which versions are affected, outdated information, and a lack of version information could all result in false positives. Our security team cleans up the data we curate, improving the accuracy of the data by 40% on average.
Quickly triage CVEs so that I can address only the critical vulnerabilities
Once your software bill of materials is scanned and your report is generated, you can filter the CVEs based on several metrics: package affected, patch or fix availability, CVE severity, custom scoring, affected platforms, whether or not you added notes or comments, and kernel and U-Boot configuration options. If you can’t find a filter that works in your triage, let us know, and we’ll look into adding it.
Coordinate CVE management within my team and integrate into issue tracking systems
Each Vigiles subscription initially includes 10 seats. They will be assigned to the same team, allowing manifests to be shared and enabling other team members to add notes to CVEs and to whitelist them.
Vigiles can be connected to Jira and generate issues from within the Vigiles report interface.
Find appropriate fixes faster
For all of the CVEs that are found in your scanned manifest, Vigiles will let you know if there is a fix that will remediate the vulnerability or if there is no known fix yet available. If there is a fix for the vulnerability, Vigiles will give you the patch, minimum version, and or config option information needed to mitigate it. Links to the appropriate resources are also available in the report.
Collect changes quickly for regulatory purposes
Compare reports between builds as well as between entirely different products. You’ll get the package and vulnerability changes, and you can use this information to meet your regulatory requirements.
Easily continue monitoring for new CVEs and changes
Set up periodic scans for your manifest at a daily, weekly, or monthly cadence. When new CVEs come up, we’ll send out a link to the new report via email.
Our security team will also provide early notification of new CVEs, usually by 2 weeks ahead of the NVD.
You can also set up alerts that will be triggered based on CVSS score thresholds, custom score thresholds, or the addition of packages that have a non-authorized license type.