What’s the matter with vulnerability management?

Every day I get tot talk to a lot of infosec professionals and business people regarding vulnerability management. They tell me that using the various $BRANDS of commercial vulnerability scanners out there and they tell me they are very frustrated.

Information overload

The average scanner produced a huge amount of “raw” data that they to sort through. Plus most of the people do not understand in depth the vulnerabilities identified and cannot explain them to network administrators and especially developers, in the case of vulnerabilities found in web applications.

Plus, remediation is lacking due to the fact again that the vulnerabilities and their associated business risks are not well understood and who has to fix them is not motivated to do it quickly and efficiently.

So, in a nutshell, huge data, lot’s of manual analysis and no action. No wonder why the bad guys keep getting in exploiting low hanging fruit vulnerabilities!

Vulnerability management is a process

When I say that vulnerability scanning is only one step in the vulnerability management process and they seem very shocked about that as if I said something unheard of.

I asked why they do not change their VM process and they do not devise a complete vulnerability management process. Their answer is usually: “We have $BRAND scanner and we cannot take it out even it does not work”.

It’s like people sticking their head in the sand to avoid the problem somehow.

Man sticking head in the sand

The problem — like overall in security — is that people do not want to take the extra step to analyze their risks and deploy appropriate controls in their environments. Vulnerability scanning is NOT a control! It is a tool like any other to generate result and it is part of a control. A control is process and, like any process, is composed by different phases.

Just pressing a button on a vulnerability scanner you just bought does not give you vulnerability management. Just like pressing the same button by a security professional does not equal to performing a penetration testing! It’s just a scan, that’s it.

That’s the reason why a scan does not give you business risks and exposures and why the scan by itself does not give you remediation.

In other words, don’t ask a vacuum cleaner by itself to clean your house!

Learn about NopSec’s unique approach to vulnerability risk management. Download our Best Practices Guide: Vulnerability Management.