Vulnerability management is difficult. Many organizations aim to fix all the security vulnerabilities they can identify. They want to run a scan like Qualys and that everything come up green. In my opinion, it is a good and ambitious objective, but that strategy can be counter-productive.Continue reading “Off the top of my head: About having everything green in Qualys”
Today, 1st of November, many teams will be upgrading OpenSSL to fix the critical vulnerability that will be announced between 13:00 and 17:00 UTC. That will be possible only if they know where they have OpenSSL installed in their infrastructure. Organizations know that an inventory of assets is essential for security, however, few have one up-to-date. Even in the case a company has an inventory of assets and it is up-to-date, it might not include information about packages installed on operative systems, containers and container images.