This post from Dark Reading asks “how do you choose what to fix first?” A lot of what should drive your decision is an understanding of risk. However, I’d add that you can automate a lot of updates (and accept the associated risk) bringing the number of do we/don’t we decisions down to a manageable number…:
The way that organizations today decide which software vulnerabilities to fix and which to ignore reduces risk no better than if they rolled dice to choose, according to a new study today from Kenna Security and Cyentia Institute. The report’s authors argue that enterprises need to get smarter about how they prioritize flaws for remediation if they want to really make a dent in their risk exposure.
The fact is, that organizations today are drowning in software vulnerabilities. A different report out today from Risk Based Security highlights this reality. It found that last quarter alone there were nearly 60 new vulnerabilities disclosed every single day. Among the 5,375 flaws published in the first 90 days of the year, approximately 18% had CVSS scores of 9.0 or higher.
Those numbers in part demonstrate why some organizations can’t fix every vulnerability in their environment – which means they must prioritize their efforts. The question is, what makes for a good prioritization system?
Techniques like using CVSS vulnerability severity scores to guide vulnerability management activities have long been the stand-in methodologies. But those can’t necessarily predict how likely attackers will be to actually exploit any given flaw in order to carry out an attack. And that’s the real fly in the ointment, because according to the Kenna and Cyentia report, just 2% of published vulnerabilities have observed exploits in the wild.