JANUARY 20258MY OPINIONINTechnical environments are getting ever more complex, and new tech stacks are added, most often without decommissioning previous solutions. With an increasing number of vulnerabilities found, managing them is a risk that must be taken very seriously. Automation is a prime candidate to reduce the effort that goes into vulnerability management.Identifying and patching vulnerabilities is one of the foundations of a good security posture. Unpatched vulnerabilities are the red carpet for threat actors and should be taken very seriously, all the way from IoT devices to the mainframe. This is however a very challenging situation. Firstly, technical environments have the tendency to grow, both in terms of the number of applications, infrastructure devices, and tech stacks and even though every new initiative has the promise to decommission old systems, we must admit that the success rate is nothing to write home about. When adding hybrid cloud and on-prem setups to the equation, this becomes more difficult to manage. Secondly, the number of known vulnerabilities has increased over the last few years, and we can expect that to grow in the foreseeable future. It is quite interesting to look at the inner workings of vulnerability tracking. Publicly known vulnerabilities are registered and catalogued within a program called CVE (Common Vulnerabilities and exploits). Every vulnerability is assigned a unique CVE number and a severity score (CVSS). This program dates back to 1999 and is the de facto catalogue for vulnerabilities, and widely used by scanning and reporting platforms. Since 2016 the CVE Program began actively expanding the number of organizations participating in the program. So, all in all, there is an increase on all fronts, more code, more researchers, and more CVE numbers. But what is to be done? A solid vulnerability management policy must be instigated and supported by upper management. In practical terms that means that a written threshold is put down, based on a given risk appetite. Some organizations might be satisfied when all high-severity vulnerabilities are patched within 90 days on internal networks, and within 30 days on internet facing networks. Others might want all medium-severity ones patched within in the same timeframe or less. Writing the policy is however the easy part. The tricky part By Konráð Hall, Executive Director, Íslandsbanki [ISB: ICE]CRITICALROLE OF VULNERABILITYMANAGEMENT
< Page 7 | Page 9 >