Vulnerability Management

How are companies addressing vulnerability backlogs?

Vulnerability backlogs are commonly dealt with in these three approaches. But what are they missing?
Thomas Ballin
3 minute read

Common approaches

There are a few interesting approaches to addressing a vulnerability backlog. Team resources, budget and business focus all affect how cyber security teams choose to manage them. Let’s take a look at three common strategies.

1) Prioritisation tools

Certain businesses are looking at sophisticated prioritisation tools to understand what issues they can treat first. Equally, they're looking at what combination of issues can be treated most effectively. E.g through compensating controls or inherent changes to the way the business process works.

This approach helps in tackling an existing supply of backlogs, however it doesn’t effectively address the backlog being introduced in the first place. 

2) Changing the lifecycle stages

On the other hand, some organisations feed vulnerabilities back to developers earlier in the vulnerability management lifecycle. E.g by feeding SAST (static application security test) results straight back to developers. The aim here is to make the process of fixing vulnerabilities faster and to shorten mean time to response (MTTR). Theoretically this is fine, however in practice it has its challenges and limitations. And in some cases can actually cause more problems.

3) Wipe the slate clean

A third approach is to wipe a vulnerability backlog clean altogether. Instead, attention is on improving processes moving forward so that it doesn’t happen again. This is a brave and understandable approach, but not necessarily an optimal one.

‍A context-first approach

In all of these approaches there’s one key strategy that is missing. Whether vulnerability information is coming from a bug bounty, an automated tool or a penetration test, it’s crucial that the data associated with it is as detailed as possible. This starts with the development ticket outlining the change and continues at every data point down the workflow. Vulnerabilities that are heavily contextualised are much easier to prioritise and remediate and ensures that actions are always coming from an informed position. 

‍This proactive approach in preventing vulnerability backlogs ultimately means remediation efforts aren’t left confused and set aside. Instead remediation is quick, efficient and effective in removing all vulnerabilities from systems as they appear. 

Vulnerability Management

How are companies addressing vulnerability backlogs?

Vulnerability backlogs are commonly dealt with in these three approaches. But what are they missing?
Thomas Ballin
3
min read

Common approaches

There are a few interesting approaches to addressing a vulnerability backlog. Team resources, budget and business focus all affect how cyber security teams choose to manage them. Let’s take a look at three common strategies.

1) Prioritisation tools

Certain businesses are looking at sophisticated prioritisation tools to understand what issues they can treat first. Equally, they're looking at what combination of issues can be treated most effectively. E.g through compensating controls or inherent changes to the way the business process works.

This approach helps in tackling an existing supply of backlogs, however it doesn’t effectively address the backlog being introduced in the first place. 

2) Changing the lifecycle stages

On the other hand, some organisations feed vulnerabilities back to developers earlier in the vulnerability management lifecycle. E.g by feeding SAST (static application security test) results straight back to developers. The aim here is to make the process of fixing vulnerabilities faster and to shorten mean time to response (MTTR). Theoretically this is fine, however in practice it has its challenges and limitations. And in some cases can actually cause more problems.

3) Wipe the slate clean

A third approach is to wipe a vulnerability backlog clean altogether. Instead, attention is on improving processes moving forward so that it doesn’t happen again. This is a brave and understandable approach, but not necessarily an optimal one.

‍A context-first approach

In all of these approaches there’s one key strategy that is missing. Whether vulnerability information is coming from a bug bounty, an automated tool or a penetration test, it’s crucial that the data associated with it is as detailed as possible. This starts with the development ticket outlining the change and continues at every data point down the workflow. Vulnerabilities that are heavily contextualised are much easier to prioritise and remediate and ensures that actions are always coming from an informed position. 

‍This proactive approach in preventing vulnerability backlogs ultimately means remediation efforts aren’t left confused and set aside. Instead remediation is quick, efficient and effective in removing all vulnerabilities from systems as they appear. 

Prioritise Your Testing Programme Around Your Development Schedule

Detect Vulnerabilities Faster
Patch Vulnerabilities Faste
Be more compliant
Book a Demo

Related Posts

Vulnerability Management
How do you understand performance over time?
In order to get to grips with the performance of your software or product over time, you really need to be taking incremental measurements of your cybersecurity.
Thomas Ballin
February 2, 2021
Security Testing
Automated penetration testing - 5 key business benefits
Automated penetration testing is becoming increasingly popular. But how does this compare to manual penetration testing? Understand the main key benefits.
Thomas Ballin
June 4, 2024
Vulnerability Management
Will there come a day where there are 0 vulnerabilities to find?
There's a growing potential for AI to remove many sources of vulnerabilities, but does that mean we're going to see a day where code is being written without any vulnerabilities being introduced into systems?
Thomas Ballin
June 4, 2024