The process of managing software vulnerabilities inside the enterprise - tracking flaws and determining which ones to fix first - has long been complicated by the sheer number of patches that must be assessed, applied, tested and rolled out, says Wolfgang Kandek, CTO at the security firm Qualys.
In the early days of patch management, many information security pros focused on the severity of a vulnerability and attempted to first patch those rated as being most severe, he says. But in recent years, Kandek says, there's been an increased focus on pragmatism - concentrating on the 60 or so flaws per year that attackers will be actively targeting.
"The best way of doing things is going after vulnerabilities that are actually being exploited in the wild - not so much looking at the severity. What's in use? What do the bad guys attack? ... Do you have it in your network? And if you do, those are the ones that you would want to go after," he says.
In this audio interview with Information Security Media Group conducted at the Infosecurity Europe conference in London, Kandek also discusses:
- Prioritizing which vulnerabilities to patch first;
- The difference between remediating flaws in enterprise software and hardware versus defending against malware;
- The case for simplifying enterprise environments.
Kandek is the chief technology officer at Qualys. During his 13-year tenure there, he has also served as its vice president of engineering, vice president of operations and director of network operations. Before that, he held positions at MyPlay, iSyndicate and IBM.