Vulnerability Management Is Still a Mess

  • Network vulnerability scanners
  • Host vulnerability scanners
  • Vulnerability management tools
  • Application security scanners
Vulnerability Management word-cloud
  • risk
  • prioritization
  • patch
  • remediation
  • management
  • assets
  • compliance
  • inventory
  • analysis
  1. Vulnerability debt — Not unlike technical debt, I see companies amassing vulnerabilities that live longer than Yoda. The biggest issue, which I’ll address in a further post, is that we’re creating impossible situations for ourselves down the road.
  2. Lack of lifecycle — In a previous role, many years ago, we would scan and dump vulnerabilities to a spreadsheet. Don’t laugh, many of you do it today — this was in early 2000. Then we would present it to a technical owner of a system, who would tell us all the reasons the patch could not be applied today, next week, or sometimes ever. We’d note it in the spreadsheet, and never, ever return to this issue. So much to be said here about improper risk management, but it boils down to lifecycle. You can’t just mark it down as “accepted” and move on never to revisit. I sense another further post on this.
  3. Accountability — One of the best lessons I ever received on the topic of accountability was from a lawyer. Chief Inside Counsel, as I recall. He told me that if I was allowing a manager-level person, a technical owner, to ‘accept the risk’ on behalf of the company I was the problem. That person had neither the authority nor the accountability to accept risk, and I was going along with it. This made both of us on the firing line if something happened… luckily I dodged that bullet but wow. Right, another post on this topic coming too.
  4. Asset management — This may cause you to slap your forehead, so I’m warning you ahead of time. If you are vulnerability scanning only the assets you know about and calling it good, you’re going to have a bad time. The unknown unknowns will be your undoing. Your program should give as much focus to the things you don’t know exist, as the things you do. OK, so another post on this too.

--

--

--

I’m Rafal, and I’m a 20+ year veteran of the Cyber Security and technology space. I tend to think with a wide-angle lens, and am unapologetically no-bullsh*t.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Get Creative With Perspective API on Github

鬼灭之刃剧场版:无限列车篇 完整版本 (2020) / [“Demon Slayer: Kimetsu no Yaiba 2020”] 完整版觀看電影在線小鴨 [FULL HD]

Statebox — A New Formal Language

How to Make an Email Slicer using Python

EV Code Signing + USB Tokens Issued Pre-2021

Completely Type-Safe Error Handling in Python

Why Go for a Headless CMS?

Part 1 : Android Constraint Layout

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rafal Los

Rafal Los

I’m Rafal, and I’m a 20+ year veteran of the Cyber Security and technology space. I tend to think with a wide-angle lens, and am unapologetically no-bullsh*t.

More from Medium

CVE-2021–44228 — Log4Shell — Vulnerability and its impact on Kubernetes

Application Security Best Practices

Why a Carrot Beats a Stick in Cybersecurity Breach Insurance

Weekly newsletter on Cybersecurity (DevSecOps) — Issue #3