JANUARY 20259is executing and complying to the policy, because this work is tedious, and one can rest assured that it is never done. To begin, all assets have to be known, then they have to scan with a proper vulnerability scanning utility. Prioritise the work at hand based on the policy, using CVE scoring and placement of assets. At Islandsbanki we include the vulnerability metrics in our Key Risk Indicators (KRI) and that has proved to be a good driver for a successful involvement and understanding beyond the IT Operations team. And that is a key ingredient to maintaining a healthy environment because many vulnerabilities call for business decisions, such as decommissioning or upgrading EOL systems, refactoring code, and possibly additional investments. I use a basic process when it comes to patching:1. Fix the vulnerability in a timely manner ­ Default action2. Accept the risk associated with the vulnerability, either temporarily or permanently3. Shut down the asset containing the vulnerabilityIf an asset cannot be patched for some reason, it should be shut down unless a risk acceptance from a relevant product team is signed off. A car without brakes and safety belts would never be allowed to be used in traffic.All that has been described is however a reactive process. The next step is to prevent vulnerabilities to go into circulation, and I think that should be the main focus for all software and infrastructure delivery going forward. And here we can utilize the benefits that automation brings to the table, whether it is for traditional IT Operations or for software deployments via CI/CD pipelines. Using vulnerability scanners during the build process, quality gates can be implemented that will stop the deployment when vulnerable code is detected. Developers are forced to revisit the code and make the necessary adjustment before it is committed again. The same thinking should be applied to IT Operations. It is amazing how many vulnerabilities can be found in a fairly recent version of almost any OS in the market. And rather than updating a golden image every three months, all server deployments should be done via pipeline where it is scanned and preferably patched automatically before being introduced in a live environment. And this will make vulnerability management easier and an integrated part of daily operations. BCUnpatched vulnerabilities are the red carpet for threat actors and should be taken very seriously, all the way from IoT devices to themainframeKonráð HallCRITICALROLE OF VULNERABILITYMANAGEMENT
< Page 8 | Page 10 >