Vulnerability Zero is a Terrible Idea
Inbox Zero is the idea that your email inbox should be empty.
Vulnerability Zero is the idea that you should fix every vulnerability.
Inbox Zero is a bad idea.
Vulnerability Zero is a terrible idea.
Here are seven reasons why:
- It's an endless pursuit - there'll always be one more vulnerability.
- There's no link to business impact - not all vulnerabilities are material to your business.
- The context of the vulnerability doesn't apply to your business.
- Vulnerability reports are based on a point in time - more significant vulnerabilities may be appearing. However, if you're still looking at the old ones... you'll miss them.
- The fix sometimes costs more than the impact of the vulnerability.
- A different security measure prevents the vulnerability from being exploited - like Swiss cheese.
- The vulnerability doesn't exist - it's a false positive (a.k.a. a mistake).
To be clear, this doesn't mean all vulnerabilities can be ignored.
There'll be some that certainly need to be addressed.
A risk assessment helps you decide which can be safely ignored (accepted) and which needs your attention.
The Secret to Secure Configuration: Consistency
Most IT systems have a graphical interface - with plenty of pointing and clicking.
But your team shouldn't be using them... if at all possible.
The secret to secure configuration: consistency.
Consistency comes from code. Not clicking.
Create secure configurations by:
- Drawing a picture of what you're creating
- Writing the commands to create the config
- Start all configuration scripts (code) with a factory reset
- Save changes as new versions
- Deploy often
Clicking leaves security cracks.
Code drives consistency.