I'm dealing with the challenge of coordinating vulnerability remediation between our security and operations teams, and right now we're relying on spreadsheets. This approach has led to some friction in our workflow, and I'm curious if others out there have found more efficient methods or tools for this process. What are your thoughts or experiences? Any tips would be greatly appreciated!
6 Answers
We had new management that insisted we track everything in Jira, which I wasn't a fan of when I was in charge. Spreadsheets were mainly for compliance checks. My priority was automated patching instead; we just needed to rescan regularly and check what didn't get fixed. If there were any manual tasks that continued to pop up, that'd need addressing because it can become unmanageable.
Check out Rapid7's Insight VM; it's pretty solid for vulnerability management.
Aren't most decent vulnerability tracking tools equipped with features for managing statuses like 'open' or 'closed'? I mean, ours definitely has it built in.
Spreadsheets often lack detail where it matters. Security teams tend to miss out on key specifics, like the exact location of vulnerabilities. Also, keep in mind that patches often require specific settings to be effective, so tracking that accurately is crucial. My go-to method is filtering scans for vulnerabilities that showed up in the last month, focusing on high and critical issues, but that needs proper tool access and some commitment from the sysadmins.
I've found that combining roles can sometimes simplify things—you end up doing both security and ops tasks. Instead of spreadsheets, I use a Word template for documenting critical vulnerabilities, including specific remediation details. It lets us organize everything easily—just store it in a dedicated folder for tracking.
What's the story behind cleaning the kitchen?
How do you keep track of what's been remediated vs. what's still outstanding? Do you ever lose track of things or get audited?
We use our main ticketing system too! It requires some manual ticket creation, but overall it's a workable process that allows every team to add notes and relevant info.
That's true, but sometimes we run into issues with too many different tools and merging data, plus separating cloud from on-prem needs.