There are several vendors and solution providers out now who are providing vulnerability assessments. These (vulnerability) assessments can vary from automated solutions to manual validation but are generally defined as;
A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed include, but are not limited to, information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems.
Wikipedia
When it comes to workstation/server builds and applications a vulnerability assessment usually starts with a CVE number like CVE-2023-34048. A serious (9.8 of out 10 ) security vulnerability in VMWare. Or CVE-202344487 which affects Microsoft core network features. Do you use VMware? Or .NET? WINDOWS?
As of today, there are 7033 CVE records (registered vulnerabilities) linked to Microsoft products. A vulnerability assessment will identify the risks but not offer guidance – prescriptive, detailed guidance on how to mitigate these risks.
Here’s what I think would really help.
Yes, that CVE notice, with a nice description and severity warning AND:
- A list of applications that have been affected, including their dependencies (including CVE details)
- Build a testing plan for each application based on affected areas.
- Create/Stand-up a secure testing environment (online and in Microsoft Azure)
- Automatically apply the patch to your latest build or affected applications.
- Automated “smoke” tests for each affected application (Install/update/run/uninstall)
- Compare the results against an existing platform (previous test runs)
- Generate a report on the differences between pre/post update tests.
- Generate a deployment plan/schedule for publishing the updated build or affected applications ( all scripted in PowerShell)
Sounds good – Yes. A prescriptive action plan automatically generated. Tuned to my packaging standards, tested against my custom build and ready in minutes.
Readily repeatable for the next CVE vulnerability release. Yes, please
To find out more, try Readiness Unbound for a free 3-month trial.