Jon

Security Engineer, Amateur Triathlete, Aspiring Rancher, Big Pizza Guy

Home

Vulnerability Management

Everything is Made up and the Points Don't Matter

Everyone has a million vulnerabilities and that’s ok. What percentage of vulnerabilities can actually be exploited? Without an answer to that question we’re just throwing money at a pricey sisyphus simulation.

Addressing the ~3% of vulnerabilities that pose a serious risk is a far better use of my time. The other 97% of my vulnerability management brain space should be dedicated to solving other focused, accomplishable tasks.

Small strides in patching or dependency management reduce the big scary number go down far more effectively than bombarding engineering teams with individual fixes they will never care about. Of course we should want engineers to care about vulnerable systems, so let's build a solution to those problems instead of punishing them with endless garbage.

I’d like to retire 'Vulnerability Management' in favor of something fresh and fun like “Risk Wrangling” or “Exploit Evasion Engineering”.