NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
Threat and Exposure Research

What’s the matter with vulnerability management?

Every day I get tot talk to a lot of infosec professionals and business people regarding vulnerability management. They tell me that using the various $BRANDS of commercial vulnerability scanners out there and they tell me they are very frustrated.

Information overload

The average scanner produced a huge amount of “raw” data that they to sort through. Plus most of the people do not understand in depth the vulnerabilities identified and cannot explain them to network administrators and especially developers, in the case of vulnerabilities found in web applications.

Plus, remediation is lacking due to the fact again that the vulnerabilities and their associated business risks are not well understood and who has to fix them is not motivated to do it quickly and efficiently.

So, in a nutshell, huge data, lot’s of manual analysis and no action. No wonder why the bad guys keep getting in exploiting low hanging fruit vulnerabilities!

Vulnerability management is a process

When I say that vulnerability scanning is only one step in the vulnerability management process and they seem very shocked about that as if I said something unheard of.

I asked why they do not change their VM process and they do not devise a complete vulnerability management process. Their answer is usually: “We have $BRAND scanner and we cannot take it out even it does not work”.

It’s like people sticking their head in the sand to avoid the problem somehow.

Man sticking head in the sand

The problem — like overall in security — is that people do not want to take the extra step to analyze their risks and deploy appropriate controls in their environments. Vulnerability scanning is NOT a control! It is a tool like any other to generate result and it is part of a control. A control is process and, like any process, is composed by different phases.

Just pressing a button on a vulnerability scanner you just bought does not give you vulnerability management. Just like pressing the same button by a security professional does not equal to performing a penetration testing! It’s just a scan, that’s it.

That’s the reason why a scan does not give you business risks and exposures and why the scan by itself does not give you remediation.

In other words, don’t ask a vacuum cleaner by itself to clean your house!

Learn about NopSec’s unique approach to vulnerability risk management. Download our Best Practices Guide: Vulnerability Management.

Categories
Category
Tags
Verizon 2020 DBIR Report, Vulnerability management
Read Next

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.