At first glance, vulnerability management does not look very attractive. However, for many enterprises, engaging with the processes around vulnerability and asset management is very beneficial. It lowers the attack surface relevantly.
Before starting with vulnerability management, the processes of the organizations must be mature and well defined: This means that patch management, lifecycle management, and adjunct processes are established on a high maturity level. In addition, it includes the perception turnaround from patch management for fewer errors to patch management as a strategic security activity.
It is a well-recognized fact that asset management will never be 100% perfect, but approaching a state of “near perfect” is highly desirable. It includes hardware, software (applications), middleware, firmware, and services like encryption (note: remember SSL heart bleed). In addition, the link between assets and responsibilities is of critical importance, where a group or a person may be responsible for an asset entity or an asset entity group.
Two levels of automation we face today: the automation of software production with DevOps and DevOpsSec, which is not relevant for this context. But the automation and orchestration of vulnerability scanners are highly relevant. Main processes must be efficient and automated; meanwhile, zero-day-exploits must be followed and evaluated still hand-picked. Those two approaches must be connected and tuned to each other.
Another issue is the gravity of CVSS rating depending on the respective security zone they show up: The rating may differ from the systematic rating because of enhanced or diminished business impact. The number of false positives, i.e. of false alarm is paramount. Unless this number is sufficiently low, these systems bring no value for the company. Finally, the everyday day routine, including the human factor within groups and between groups, plays a major role in the success of the next generation of vulnerability management.