20 Feb
2024
8
min read

How are companies addressing their vulnerability backlogs?

There are a few interesting approaches to addressing a vulnerability backlog. Some businesses bring in sophisticated tools, others look at feeding the vulnerabilities back to developers earlier in the SDLC, and others choose to wipe the slate clean entirely. So, what's the optimal way to address your vulnerability backlog?

Sian-Louise Montgomery
Marketing Consultant

There are a few interesting approaches to addressing a vulnerability backlog...

Certain businesses are looking at some rather sophisticated prioritisation tools and bringing in ways of being able to understand which issues they can treat first. Equally, they're also looking at which combination of issues they can treat most effectively, either through compensating controls or through some inherent change to the way the business process works.

On the other hand, some organisations take the approach of feeding the vulnerabilities back to developers earlier in the lifecycle, feeding SAST results straight to developers. This has its challenges and its limitations and can be headache inducing.

There is then a third type of organisation, the one's who just aggressively say "We're not going to acknowledge our vulnerability backlog, we're just going to accept it. We're going to wipe the slate clean and from now on we're going to develop things in a better way." This is a brave and understandable approach, but not necessarily an optimal one.

In all of these approaches, one of the things that businesses miss, which is also a great opportunity in being able to deal with the vulnerability backlog, is in ensuring that you're getting the best quality information that you possibly can when you're first capturing those vulnerabilities.

Whether it's coming from a bug bounty or a tool or a pen test, ensuring that before that information hits the backlog, you've done everything you possibly can to enrich it with all of the data from the various different sources that you have available you. Doing this means that whatever version of prioritisation or feedback or whatever else you're doing can be done from a very informed position.

bug report

Get a Free Trial  From Cytix

Haven’t tried Cytix yet? Try our free trial to see how it works.

Get a Free Trial

Start Detecting Vulnerabilities Others Miss Today

  • Detect Vulnerabilities Faster
  • Patch Vulnerabilities Faster
  • Be more compliant
Learn More
business
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.