Not keeping up with patches that are known to negatively impact security risk is nothing short of irresponsible. But learning of impactful vulnerabilities that affect you and being able to patch those in true need of updates is not as easy as it may sound. In a reactive mode driven by the news of the day, this is a losing battle.
Log4J and Spring4Shell made plenty of noise in 2022, and 2023 shows no signs of letting up with these old vulnerabilities still associated with patches being released today. Hitting the news just now is yet another old patch that’s been available since early 2021 but is somehow still the vulnerability behind a wave of ransomware attacks affecting ESX Server.
Organizations that initially strove to keep everything patched and up to date in order to minimize such risks quickly learn that because of the necessary preparation, testing, and deployment for patches to be deployed safely, the volume of patches being released is too great. Proper software vulnerability management means constantly reviewing what is impacting your environment and responding surgically only to those that actually require attention.
In a world where serious vulnerabilities are announced with disturbing frequency, it is important to invest in a solution that is keeping up with not only the threat landscape but also delivering enhancements that serve to help you be more productive in your efforts to stay secure.
2022 was a big year for Flexera’s Software Vulnerability Management solutions. Chief among the big investments customers witnessed in SVM was the evolution of our user experience via an overhaul of our web-based admin interface and the introduction of a new Patch Publisher tool. There were 17 releases throughout the year between SVR, SVM Cloud, and SVM On-prem. Check out just some of the key enhancements below, with links to individual release announcements.
As 2022 began, SVM had just reacted quickly to the threat to Log4j by introducing a targeted awareness report that could help identify where it may be hiding on scanned endpoints. Details.
An ability to ignore but log specific paths provided customers the ability to control the focus of scans, but not at the expense of being aware of what vulnerable software exists. Details.
The new web-based user interface introduced presented not just a facelift but multi-browser support (and an end to the ActiveX dependency of the previous console) by moving restrictive operations like creating and publishing patches to a new Patch Publisher tool. New UI Details. Patch Publisher Details.
While nothing can beat the certainty of a file signature-based scan for vulnerable software, we responded to customer feedback to introduce an alternative, inventory-based assessment to provide a heat map of possible concerns affecting systems not traditionally scanned. Details.
We iterated on the new Patch Publisher throughout the year, adding more and more power in a long list of ways, including criteria-driven publishing automation, proxy support, BigFix publishing support, integration with AdminStudio, the ability to publish patches to more than one deployment system simultaneously (eg. InTune and ConfigMgr), and much more.
The ability to automatically delete hosts for which the last scanned/check-in time was greater than a specified number of days.
The ability to configure scanning of cloud-stored files on Windows and Mac systems to optionally prevent the downloading of cloud-hosted files such as those managed by OneDrive.