Vulnerability management is one of the foundational controls that all organizations are required to have out of necessity due to increasing cyberthreats and as a consequence, compliance requirements. Vulnerability management as a practice is fundamental to organizations who want to ensure that their operations run smoothly without any loss of productivity or profits.

In a previous post, we discussed whether a Software Bill of Materials (SBOM) can really make a difference from a cybersecurity standpoint, and the answer is a resounding “yes.” However, while an SBOM provides lots of the information organizations need to know about the components of the software products they buy and use, such a list by itself is not enough. For the SBOM to be really effective, they need to have context as well. Not all software products or vulnerabilities are equal.

We’re hearing more and more about a Software Bill of Materials (SBOM) as a vital tool for increasing software security. With the federal government pushing the idea, there’s no doubt it will remain newsworthy. One of the key questions about SBOMs is will they really make a difference? And how will they make a difference?

Vulnerability patching is the short-term implementation of patches, which are pieces of code added to existing software to improve functionality or to remove vulnerabilities that have been flagged. Patches usually come from vendors of affected hardware or software and IT should apply them to an affected area in a timely manner.

Finding vulnerabilities in software is serious business. Weaknesses in software can lead to security risks such as costly ransomware or phishing attacks, and there are new types of vulnerabilities emerging all the time. The shift to remote and hybrid work models during the past two years has made vulnerability management even more complex—and necessary. Plenty of products are available to help organizations and development teams find vulnerabilities.

We are still recovering from the after effects of Log4j, but there is already a new vulnerability around the corner. PWNKIT, reported by Qualys’ research team, is a major Linux polkit (previously known as PolicyKit) related vulnerability. Like Log4j, which is the logging utility of Java, polkit is a systemd SUID-root program that controls system-wide privileges in unix-like operating systems.

Identifying a weakness or an imminent threat is not the same as resolving the problem. Inaction is not an option. Or to put it another way, taking a deer-in-the-headlights approach does not work well in the cybersecurity realm. Security leaders and teams, and the DevSecOps units they work with, need to focus on taking action as soon as possible once they have found a vulnerability using a scanner, application security testing, penetration testing, or some other method.

Vulnerability management is the ongoing practice of continually identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities or weaknesses in operating systems, enterprise applications — whether in the cloud or on-premises. It also applies to browsers and end-user applications. Vulnerability management is integral to both computer and network security. It enables an organization to monitor its digital environment for potential risks in real time.

The retail sector has its own unique cybersecurity risks, especially given the growing emphasis on online commerce. The trend toward purchasing goods and services on the internet has been going on for years. But the volume of e-commerce has seen a sharp increase since the beginning of the pandemic, when many physical stores were forced to lock down or consumers simply opted to buy online rather than visiting brick-and-mortar locations.

Manufacturing is one of those industries that seems like a natural fit for vulnerability management, in part because these companies can be such easy targets for cyber criminals. Manufacturers in many cases operate far-flung, global facilities including factories, warehouses, and other distribution points. Increasingly, these different facilities are connected as companies look to modernize their operations through digital transformation.