empty-jar

Vulnerability Zero is a Terrible Idea

  • Security Processes
  • Experience

📅 May 16, 2022

⏱️1 min read

Inbox Zero is the idea that your email inbox should be empty. Vulnerability Zero is the idea that you should fix every vulnerability.

Inbox Zero is a bad idea. Vulnerability Zero is a terrible idea.

Here are seven reasons why:

  1. It's an endless pursuit - there'll always be one more vulnerability.
  2. There's no link to business impact - not all vulnerabilities are material to your business.
  3. The context of the vulnerability doesn't apply to your business.
  4. Vulnerability reports are based on a point in time - more significant vulnerabilities may be appearing. However, if you're still looking at the old ones... you'll miss them.
  5. The fix sometimes costs more than the impact of the vulnerability.
  6. A different security measure prevents the vulnerability from being exploited - like Swiss cheese.
  7. The vulnerability doesn't exist - it's a false positive (a.k.a. a mistake).

To be clear, this doesn't mean all vulnerabilities can be ignored. There'll be some that certainly need to be addressed.

A risk assessment helps you decide which can be safely ignored (accepted) and which needs your attention.

Next Post →