The above quote, from a blog by Augusto Barros on his notes from the Gartner Security and Risk Summit 2016, sounds very scary to me considering that so many organizations often rely solely on Vulnerability Assessment (VA) tools to try to drive the remediation of different types of vulnerabilities.
Yes, it sounds scary, but it does not come as a surprise. No organization will run a vulnerability management program without the support of a VA tool. The point is: these tools evolved from a model of assessment that was relevant in a different point in time. And, in many ways, their prevailing use cases still repeat processes and rely on models from the past. Many organizations still see vulnerability management as if we lived in 1999, and vendors provide them with what they want. This “original sin” is what, in my opinion, breaks any revolution in the VA market. And a revolution is needed. Infrastructures have been changing fast and will continue to change. And so will the requirements to assess vulnerabilities and mitigate the risk they represent to organizations. This is today. This is now.
It is also today and now that organizations need to change the way they see vulnerability management and probably start looking at other existing forms of vulnerability assessment outside the market for VA tools.
Back to the quote: “Vulnerability scan results are still showing too many inconsistencies”.
I will not enter the discussion about VA technology, scan accuracy, and quality of existing tools. What I want to mention is something organizations can do, outside the use of VA tools to reduce those overwhelming figures found by VA tools, which both create a lot of unnecessary work and give the impression that little can be done to create a reasonable positive impact on reducing the number of vulnerabilities.
At Flexera, working closely with our vulnerability research team, Secunia Research, we developed a vision to introduce security principles to the foundational processes and activities that can significantly reduce the number of critical vulnerabilities found during traditional vulnerability assessment checks on commercially available software,.
We achieve that by supporting those in charge of managing organizations’ infrastructures and systems – and helping them sift through thousands of patchable software products and versions – to make the right decisions about which patch to apply when and where, and providing content and capabilities to configure and deploy those patches. That means achieving better security results with efficient use of resources. We do that by applying the principles of the Software Vulnerability Management lifecycle to our Software Vulnerability management products.
You can hear more on the use of a different approach to vulnerability management in the webinar: “Activate the Full Potential of Your Vulnerability Management Program” with Forrester’s analyst Kelley