Product lifecycle & vulnerability
With the product lifecycle & vulnerability solution, Versio.io supports customers in evaluating used hardware and software products with regard to their lifecycle and known security vulnerabilities on the basis of the detected version.
Dashboard
The dashboard provides an assessment of the product life cycle (release patch management) for all technologies and versions identified in the inventory and recognises publicly known vulnerabilities (CVEs, adivisories) for deployed technologies.
It is a live dashboard that always shows the current status. For the audit-proof detection and documentation of violations, you should generate guidelines with your customer-specific strategy.
Figure: Product lifecycle & vulnerability dashboard
General
Versio.io uses knowledge databases on the life cycle of products and publicly known vulnerabilities (CVEs + adivisories) to evaluate product versions. The partial and overall status is displayed in the form of rounded rectangles. These can assume three different, colour-coded statuses:
- green = successful assessment performed on the basis of the knowledge database
- red = unsuccessful assessment based on the knowledge database
- grey = no data on the product or version is stored in the knowledge database
- Life cycle = the version is unknown
- CVE = the mapping for manufacturer and product does not exist (as no CVE exists to date) or is not stored in the knowledge database
Assessment
A separate assessment is carried out for each recognised product and version. The following figure shows an example of an assessment. We want to use this example to better understand how this is to be interpreted.
The status of the assessment is shown as an ambulance for the life cycle and security as a sign. The colours red and green symbolise the assessment result.
Figure: Product lifecycle & vulnerability dashboard
Lifecycle
The product life cycle indicates whether the customer-specific strategy for evaluating the version used has been implemented. The configurable strategy and evaluation are shown on the left-hand side of the table. The right-hand side shows the current life cycle status for the product version. All strategies must be successfully implemented for the overall life cycle assessment. Clicking on the ‘xxx lifecycle details’ button takes you directly to all available information on the specific product.
Versio.io defines an evaluation strategy for each product by default. This can be customised (
Contect menu ->Customize dashboard).
Figure: Lifecycle assessment
Security
The security indicates whether known vulnerabilities have been identified for the version used on the basis of the customised strategy. The configurable strategy and assessment are shown on the left-hand side of the table. The right-hand side shows whether vulnerabilities have been identified for one of the following categories:
- The CVE directly addresses the product version.
- The CVE defines a vulnerability in relation to another parameter (e.g. operating system).
- The CVE defines a blanket vulnerability for all current and future product versions.
All strategies must be successfully implemented for the overall life cycle assessment. All identified vulnerabilities are listed. Clicking on the link takes you directly to the details of the specific vulnerabilities.
Versio.io defines an evaluation strategy for each product by default. This can be customised (
Contect menu ->Customize dashboard).
Figure: Security assessment
Recommended tasks & affected instance
If the life cycle or security status has not been successfully passed (=red), Versio.io determines a recommended action for an update or upgrade of the product version. The Versio.io recommendation fully restores the compliance status with regard to life cycle and security status (=green). No recommendations indicate that there is no higher version that can restore the compliance status or that Versio.io does not have a corresponding version history.
The ‘Affected instances’ section lists all inventoried instances that contain corresponding product and version information. In other words, which are the source of the evaluation.
Figure: Recommended tasks & affected instance
Customizing
The strategies for the evaluation can be customised. This can be customised (Contect menu ->Customize dashboard). Enclosed is an overview of the meaning of the acronyms used:
| Acronym | Name | Note |
|---|---|---|
| STA | Stable version | |
| LR | Latest release | |
| LRV | Latest release version | |
| LTS | Long term release | |
| LLTS | Latest long termin release | The version must be part of the current long term release (LTS). |
| S | Support | |
| eS | Extended support | |
| M | Maintenance | |
| eM | Extended maintenance | The version must have maintenance and extended maintenance. |
| CVE | Common vulnerabilities & exposures | |
| aCVE | Ambiguous common vulnerabilities & exposures | |
| iCVE | Implicite common vulnerabilities & exposures |
Figure: Acronyme