We have had tools and technology to help us identify vulnerabilities for over 20 years. The Nessus project began in 1998. Qualys and Rapid7 released products shortly thereafter. Tools for identifying vulnerabilities in code were made available around the same time with AppScan, Fortify, WebInspect, and Acunetix being just a handful of early options. The number of identification mechanisms and the maturity of tools has greatly increased over the years, yet we still struggle to eliminate vulnerabilities in our environments. Why can't we solve this seemingly simple problem?
Obviously, identification is not the key to effective vulnerability management. So, what should we be doing and what are some of the reasons we are failing? Join me as I share examples of the struggles many of my clients are facing and discuss the best practices that can help organizations avoid these failures.