Written in collaboration with Joel Ashman
The immutable truth that vulnerability management (VM) programs have long adhered to is that successful programs should follow a consistent lifecycle. This concept is simply a series of phases or steps that have a logical sequence and are repeated according to an organization’s VM program cadence.
A lifecycle gives a VM program a central illustrative model, defining the high-level series of activities that must be performed to reduce attack surface risk — the ultimate goal of any VM program. This type of model provides a uniform set of expectations for all stakeholders, who are often cross-functional and geographically dispersed. It can also be used as a diagnostic tool to identify bottlenecks, inefficiencies, or gaps (more on that later).
There are many lifecycle model prototypes in circulation, and they are generally comparable and iterative in nature. They break large-bucket activities into four, five, or six phases of work which describe the effort needed to prepare and scan for vulnerabilities or configuration weaknesses, assess or analyze, distribute, and ultimately address those findings through remediation or another risk treatment plan (i.e. exceptions, retire a server, etc).
While any one specific lifecycle will (and should) vary by organization and the specific tools in use, there are some fundamental steps or phases that remain consistent. This educational series will focus on introducing those fundamental building blocks, followed by practical demonstrations on how best to leverage Rapid7 solutions and services to accelerate your program.
In this first installment of a multipart blog and webinar series, we will explore the concept of a VM program lifecycle and provide practical guidance and ..
Support the originator by clicking the read the rest link below.
