Patch Management Strategies: The numbers game that doesn’t help anyone

Every year, researchers and organizations working with vulnerability reporting release their findings from previous years and it’s always the same: plenty of inconsistent numbers. Some say the count is up, some say the count is down. Normally the divergent numbers open heated discussion in forums, with passionate arguments and big disagreements.

The fact is: no one can tell the exact total number of vulnerabilities for all software out there. Counts depend on what researchers track, their methodology and their approach to it.

What is often forgotten is that this is not a numbers game. While it is very tempting to boil things down to the most simplified interpretation and claim big numbers, it diverts the focus from what should be the major concern for organizations: we are failing terribly in our patch management strategies.

This claim is supported by the data which shows that the vast majority of exploited vulnerabilities are compromised long after the vulnerability becomes public.

CVE 99


What is even more intriguing is that the vast majority of vulnerabilities have a patch available at the time they become public. Which gives us a clue that there is plenty of room to improve our patch management processes. What is needed is a new perspective on patch management, one that uses vulnerability intelligence to prioritize the work and patch the right things.

To learn more watch this webinar ondemand featuring John Pescatore, Director of Emerging Security Trends at SANS: SANS Presents "A New Perspective on Patch Management"


Leave a Reply

Your email address will not be published. Required fields are marked *