I'm curious if anyone has ever managed to get their systems down to zero vulnerabilities or even below the tens of thousands. It always feels like just when we're making some progress, the number of vulnerabilities spikes dramatically the next month. Has anyone found a strategy that actually works?
7 Answers
Zero vulnerabilities means zero access and functionality, which isn't viable in real-world scenarios. Having vulnerabilities below tens of thousands is achievable with ongoing updates and patch management, but it's all about finding a balance to keep things stable.
Completely eliminating vulnerabilities in a dynamic environment is pretty much impossible. The key is continuous patching and prioritizing what needs attention to keep numbers in check.
How are you tracking your vulnerabilities? If you're just checking at random points in time, you’ll always be behind. It’s better to track vulnerabilities based on your policy timeline—like ensure patches are applied within 30 days after a vulnerability is detected.
You definitely wouldn’t want to look at our Qualys dashboard—it's a mess! We manage servers while the application owners often neglect their fixes, leading to ongoing issues. It’s more a management problem than a tech one.
Reaching zero vulnerabilities isn’t really a reasonable goal. You can’t predict how many new ones will pop up next month or next week, especially with the rise of AI-related threats. What’s more important is having a clear risk management strategy in place with defined SLAs for addressing these vulnerabilities.
We’ve had great success minimizing vulnerabilities with PatchMyPC.com. It cut our monthly tasks down drastically. Every time we reimage a workstation, it gets the latest versions of all apps. However, how effective is it for less common applications?
I’m curious about that too! In a large organization with around 3000 apps, keeping up with the less common ones is quite a challenge.
It also depends on the tools you're using. Some tools display redundant entries for the same vulnerabilities, which can be misleading. So, your risk analysis should be realistic, and your SLA needs to accommodate your specific needs based on your environment's size and diversity.
Exactly! Even after a major fix, you could be back in the thousands almost instantly. Browsers and apps like Adobe are notorious for introducing new vulnerabilities, so aiming for a goal of less than 1% of vulnerabilities being older than a year is more practical.