Vulnerability Management

A good vulnerability detection, remediation, and continuous monitoring policy is necessary to mitigate threats.

Additionally, establish a systematic framework to identify, assess, prioritize, and mitigate vulnerabilities in servers that interact with the Solana network, ensuring confidentiality, integrity, and availability.

Reference regulations: ISO/IEC 27001:2022 – A.12.6.1, A.12.6.2, A.18.2.3

Scope

Applies to all physical or virtual servers running nodes, RPC endpoints, validators, or pentesting tools on the Solana network, in both production and test environments. Servers deployed on the Solana network (mainnet/testnet)

Vulnerability Identification

Vulnerability scans will be performed monthly by the security team.

Tools used:

• Nmap: for detection of open ports and exposed services.

• Nessus: for in-depth scanning of known vulnerabilities.

• OpenVAS: for detailed analysis and correlation with CVEs.

Additional scans will be performed:

• After critical updates to the Solana system or software.

• Upon publication of new relevant CVEs.

Evaluation and Prioritization

A risk score based on CVSS v3.1 will be assigned.

Classification:

• Critical (CVSS ≥ 9.0): Mitigation in < 24 hours.

• High (7.0 ≤ CVSS < 9.0): Mitigation in < 72 hours.

• Medium (4.0 ≤ CVSS < 7.0): Mitigation in < 7 days.

• Low (CVSS < 4.0): Quarterly assessment.

Treatment

Vulnerability remediation should be done in a test environment, never in production environments.

• Patching via apt, Docker container updates, or binary recompiling.

• In the absence of patches, compensatory controls such as network isolation, firewall rules, or service disabling will be applied.

• All actions will be logged in the vulnerability log.

Due to the criticality and sensitivity of the server, we recommend that patching be done manually and in a controlled environment.

Patching via apt

See which packages will be upgraded:

sudo apt list --upgradable

This shows you a list of all packages that have updates available, without installing them.

If you want to save this list to a file for review or auditing:

apt list --upgradable > pending_packages.txt

Simulate the upgrade:

sudo apt-get upgrade --simulate

Or for a more in-depth upgrade (which may install or remove packages):

sudo apt-get dist-upgrade --simulate

This doesn't make any changes; it just shows what would happen.

Review the details of a specific package:

If you want to see what would change in a specific package:

apt show package-name

And to see the available version:

apt policy package-name

Recommendation:

Test updates in a staging environment if possible.
Avoid dist-upgrades or full-upgrades without checking dependencies.

Verification and Monitoring

Once remediated, the systems must be reverified and monitored.

• Rescans will be performed after each mitigation.

• A history of vulnerabilities and corrective actions will be maintained for at least 12 months.

• Internal audits will verify compliance with this policy every quarter.

Continuous Improvement

This policy will be reviewed annually or after significant security incidents. New tools or methodologies will be incorporated as the Solana ecosystem evolves and threats emerge.

PreviousThird-party Alert Systems NextContinuous Monitoring

Last updated 2 months ago

Was this helpful?