This is an automated archive.
The original was posted on /r/sysadmin by /u/learningdevops on 2024-01-23 12:09:07+00:00.
Curious for smaller organizations that don't have all the bigger tools at their disposal or have a very small dev team.From what I understand, managing vulnerabilities is usually pushed to the back burner (understandably so) or automated and not something people particularly want to think about when they have a product to deliver. We are trying to ideate something in this area, specifically the workflow of what happens after a scanner has been run. Does anyone care to share answers to these?
- How do you stay on top of vulnerabilities (CVEs) in your environment(s)?
- Is this something done regularly or adhoc or only when necessary?
- Who is responsible for this process? Is there a dedicated person or is it put on someone else's plate?
- What tools are used for managing this process?
- How much time and effort does your team invest in researching and prioritizing vulnerabilities?
Posting this in different subreddits to get all types of answers from people in different adjacent roles :) enjoying reading all the different answers, please keep them coming!
EDIT: we are working on an MVP type of service () to tackle this- where we take the headache of figuring out what to update and which vulnerability to prioritize specific to one's environment - it's a human expert over 20 years doing this. We know we cannot scale going like this but our intention is to get feedback and understand this problem better- how much time does this tedious work (if you aren't automating) really take? is this something you'd rather not have to do? etc etcIf you have any feedback regarding this MVP or even the landing page- please feel free to dm or share here! We are looking for users for a closed beta at the moment and if you think you'd like to try out such a service- comment below!