Fresh Thoughts #15: Vulnerability Zero Is A Terrible Idea & Consistent Secure Configuration

Empty Mason jar sat on a table

Vulnerability Zero is a Terrible Idea

Inbox Zero is the idea that your email inbox should be empty.
Vulnerability Zero is the idea that you should fix every vulnerability.

Inbox Zero is a bad idea.
Vulnerability Zero is a terrible idea.

Here are seven reasons why:

  1. It's an endless pursuit - there'll always be one more vulnerability.
  2. There's no link to business impact - not all vulnerabilities are material to your business.
  3. The context of the vulnerability doesn't apply to your business.
  4. Vulnerability reports are based on a point in time - more significant vulnerabilities may be appearing. However, if you're still looking at the old ones... you'll miss them.
  5. The fix sometimes costs more than the impact of the vulnerability.
  6. A different security measure prevents the vulnerability from being exploited - like Swiss cheese.
  7. The vulnerability doesn't exist - it's a false positive (a.k.a. a mistake).

To be clear, this doesn't mean all vulnerabilities can be ignored.
There'll be some that certainly need to be addressed.

A risk assessment helps you decide which can be safely ignored (accepted) and which needs your attention.

The Secret to Secure Configuration: Consistency

Most IT systems have a graphical interface - with plenty of pointing and clicking.

But your team shouldn't be using them... if at all possible.

The secret to secure configuration: consistency.

Consistency comes from code. Not clicking.

Create secure configurations by:

  • Drawing a picture of what you're creating
  • Writing the commands to create the config
  • Start all configuration scripts (code) with a factory reset
  • Save changes as new versions
  • Deploy often

Clicking leaves security cracks.

Code drives consistency.

May 17, 2022
1 Minutes Read

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Related Reads

going up on a rollercoaster

Fresh Thoughts #14: The Emotional Rollercoaster of a Vulnerability Scan

Where else in life would you ask for a list of perceived flaws in excruciating detail? But that's precisely what a vulnerability scan is designed to do...

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.


Fresh Security Support

Your Questions


Fresh Sec Limited

Call: +44 (0)203 9255868