challenges with vulnerability management

Recent information leakage studies (verizon one) identify that intrusions occur from vulnerabilities that are more than a year old and often easily fixed by patching. The poorly informed would cry "just apply the patches" well here are some of the challenges:

- it's easy to test, if you aren't running apps, umm but aren't all partner facing or internet facing systems.hhmmm
- you need to test, sometimes patches break things, especially poorly coded legacy apps. Sometimes those apps aren't supported and you may have a situation where you can't turn off the vulnerable functionality or apply the patch.
- testing, proper testing involves functional and non functional testing, maybe even performance and volume testing. No surprises that costs big bucks, and which app owners are going to cough up for testing on apps already in production that are not cashed up with capex approvals etc.


Approaches:

-risk assess systems, focus on most critical
-have a regular patch schedule aligned with testing, that also updates the SOE.
-deploy IPS/WAF/reverse proxy/in listen only mode ready to help block an exploit that has pwned you, so that after you have rebuilt you can protect again re=pwnage.