[jollofricepeas]

It’s not the results.

It’s what happens after.

More scanners aren’t what we need because vendors still can’t meaningfully answer the most important questions:

- Is the vulnerability valid based on the environment it was found in? Solve this and you’ll reduce enterprise vulnerabilities by probably 30-40%.

- What are the compensating controls? Identify these automagically and reduce the vuln risk scores based on what controls are found, you will remove another 30% of vuln work for engineering teams

We don’t need any more scanners. We need better asset and vuln management.

[frantic2821]

That is exactly what we are targeting! We know it's hard hence looking for users for whom we can tune the controls better for someone's specific environment - we will be able to do this as we have years of experience. This is kind of a side project/service we are going for and not our main business, so we are not looking to sell anything, but we are looking to understand the problem and space better.

Complete support is provided through Slack to (or however you wish), so you know you don't have to wait for any kind of support.

We know there are plenty of scanners out there. Hence we are using an open-source one and working on how we can improve the 'what happens after' part by using human-led expertise to save others their time

- Is the vulnerability valid based on the environment it was found in? Solve this and you’ll reduce enterprise vulnerabilities by probably 30-40%. --> Having a human expert confirm and filter the list is what we are offering to our closed beta users for now so yes that is what we are targeting to solve!

- What are the compensating controls? Identify these automagically and reduce the vuln risk scores based on what controls are found, you will remove another 30% of vuln work for engineering teams --> We have a list of controls we've identified, but we know each environment is different, hence looking for users we can tune our controls to

We are particularly looking for users who are in small organizations looking to grow rapidly. Ultimately, we are looking to save other devs time by taking over the cumbersome work.

[ZeroSolstice]

At what point though is this just consulting? Since everyones risk tolerances are different and may or may not have good network architectures or software practices how would this apply generally to other companies or networks?

[SteveNuts]

Exactly. A lot of times the vulnerability exists in something you’re not using, but it still shows up in reports.

Sifting through that and writing up why that vulnerability doesn’t actually apply to your environment and showing evidence of such is an incredibly time consuming process. It’s honestly easier to just patch it, a lot of times.

[ZeroSolstice]

I would add the additional problem of CVE's being devoid of any useful information which lead to generic tests being created by vulnerability scanners as they have the same lack of insight as everyone else thats trying to patch the issue. Thus creating higher false positives or wasted effort trying to confirm an exploit yourself. I get not wanting to provide a PoC because "script kiddies" might use them but if we want vulnerabilities patched regularly you have to provide better assurances that they are valid and that we can show they are patched aka tests.

[kjok]

I've seen startups claiming to solve these with reachability analysis. I think upgrading libs regardless could be a better solution, particularly for high-risk vulnerabilities.

[frantic2821]

But is upgrading libs ENOUGH? and does that make you feel confident that you are secured? We are not claiming to solve using reachability analysis or claiming to solve anything but saving dev their time at this point!

[Aaronstotle]

When I was responsible for resolving vulns in my previous companies' docker images, in many cases upgrading the libraries was enough to resolve the vuln.

My role, and others like me, need to get that critical vuln number down. Meaning yes, upgrading libs was enough.

[frantic2821]

Mind me asking how big your organization was at that point? And were you the one responsible for patching after if something didn't resolve with upgrading libs?

[ZeroSolstice]

Shouldn't your analysis/understanding show that upgrading the library is enough? If a CVE or vulnerability scanners test isn't telling you the problem that needs to be solved upgrading a library or anything else won't make a difference and you wouldn't know the problem either way.

Approaching vulnerability management from a developers view is a very narrow scope.

[FuriouslyAdrift]

I've gotten more use out of Microsoft's "Security Score" to identify and advise on mitigation in my environment than most other "automated" options.

Paying a managed service to advise is also an option. I have heard Huntress is pretty good. I am sure there are others out there.

[frantic2821]

Yeah we have realized the same. The 'automated' options don't cut it anymore or like don't give answers specific to your environment, that's why we are offering human expertise to have a look-through and confirm it for free at this point in our closed beta. We mostly want to run this service/microproduct for now and see how we can tune the controls specific to one's environment

[frantic2821]

also, is it just me or is Huntress' website down?

[FuriouslyAdrift]

Up for me as of today... I run a few privacy and security plugins and they are not blocking it either.