The team at Flexera continues to deliver on the promise of providing a better way to mitigate security risk for organizations that simply can't afford to keep throwing people at the challenge of addressing software vulnerabilities.    Proper software vulnerability management means effectively identifying and prioritizing the work of patch management, leveraging insights based on threat and vulnerability intelligence. With over 20,000 new vulnerabilities every year, businesses simply can't patch all applications and so must spend their time and effort only on those that represent a significant risk to their IT infrastructure. This can be achieved with Software Vulnerability Manager thanks to four key attributes necessary for success.   Reliable Research  Effective Assessment  Intelligent Prioritization  Rapid Remediation  Improving the power of SVM, we’ve had significant new advances in the areas of both prioritization and remediation. But let’s quickly address each to better appreciate the context of these recent enhancements …  Reliable Research. Acquired by Flexera in 2015, Secunia is well known for quality security research. The Secunia Research team has written over 3,300 insightful security advisories so far this year and it is this valuable research on which SVM is built. Advisories are product-version focused and may contain multiple CVE references. This makes understanding and ranking the importance of updates much easier by focusing on the product version's collective vulnerabilities, versus on specific individual vulnerabilities. Vulnerabilities are validated, documented and rescored based on very specific criteria, providing a normalized view as compared to the wild inconsistencies you’ll observe in a raw resource like the National Vulnerability Database (NVD).   Effective Assessment. File signatures are leveraged to quickly and accurately identify vulnerable versions of software. In many cases, a simple inventory does not provide the granularity necessary to accurately identify the existence of a vulnerable software version. SVM detects over 50k vulnerable software versions.  Intelligent Prioritization. SVM shows you how many vulnerable software instances exist and where they are. Not all assets represent the same risk so you may wish to focus on one group of devices over another. Naturally, with the research attached, you can prioritize based on criticality rating or CVSS score, leveraging our vulnerability intelligence. Further, you can now consider which vulnerabilities have exploits in the wild, leveraging our threat intelligence. Most organizations have more to patch than they have resources to do so, with more popping up regularly. Ensuring you are focusing on those that represent the most risk to your organization is crucial.   Rapid Remediation. With the new SVM Vendor Patch Module, you can now leverage over a thousand out-of-the- box patches (as well as get help with an additional thousand others). Over 50% of time spent on patching is typically focused on researching and testing how to create a patch. Get that time back with integrated access to the largest set of patch information available on the market.   SVM keeps getting better. The recent addition of threat intelligence, and now a gigantic set of out-of- the-box patches is just the beginning. SVM has also just recently released a documented API for SVM 2019, so that you can integrate with other systems and automate custom reporting. Stay tuned for more great enhancements to the best way to protect your organization from the dangers of unpatched software.   ... View more

Today marks the release of SVM 2019 R3 (for cloud, the on-prem edition will be updated next week) which has some new capabilities I think you’ll really appreciate! It includes the new Vendor Patch Module, documented APIs, as well as agent and smart group enhancements. The Vendor Patch Module is a new optional feature of SVM 2019 that provides over a thousand out-of-the-box patches as well as details to help you easily create over a thousand others. API Support is now documented allowing you to integrate SVM 2019 with other systems and processes as well as to pull data for the creation of custom reports.  A signed version of the SVM agent is now available. The standard agent downloads are still available which inject a token to match the agent to your account. This is simple to use but breaks our ability to sign the agent. For those that wish to use a signed version of the agent, a separate download is now provided for which you can specify your account token via an INI file or registry entry (see documentation for details). CVSS scores have been added as available criteria when creating new Product or Advisory based smart groups. This way, you can focus on specific ranges of products and advisories based on criticality. You’ll also notice the SVM login screen looks different—this was introduced for some consistency between products. For more details on SVM 2019 R3, please see the release notes. For more details on the Vendor Patch Module, see this blog post.  ... View more

As you see what this is and what’s gone into it, I think you’ll quickly appreciate that this is the result of a very large effort by a lot of people. It took a very long time to bring it to you—I am appropriately excited to finally unveil it to you! SVM takes software patch management far beyond that of a simple patch catalog. It provides integrated vulnerability research by our Secunia Research team, assesses where vulnerable software is found and provides you with easy-to-leverage insights for prioritizing remediation efforts. It also provides patches so you can more quickly remediate popular applications by publishing updates via WSUS or SCCM. Our patches are wrapped in scripts that provide consistency and customization options. They can also handle edge cases where the vendor update may not behave as expected. To offer such patches, many criteria needed to be met, including the need for the set up to be freely distributable, silently installable and to behave as reliably as expected. Additionally, SVM is all about addressing software vulnerabilities, so we only created patches when a known security vulnerability would be addressed. Organizations spend way too much time creating deployment packages to update software, and see a patch catalog as a way to offset some percentage of that effort. SVM offers far more patch management capabilities than any patch catalog ever could. However, choosing SVM for all its insights and capabilities should not mean compromising on accessing a large number of time-saving patches. Today, with the release of the Vendor Patch Module, SVM can now provide over a thousand patches out of the box, as well as details on more than a thousand others to help you create even more patches faster. With awareness of so many vulnerabilities (thanks to Software Vulnerability Manager) and so many patches at your disposal (thanks to the Vendor Patch Module) you are likely to quickly appreciate the need for intelligent prioritization. Some environment-specific testing is still required, and so you must resist just publishing huge numbers of patches, and prioritize appropriately to patch responsibly. SVM helps you to prioritize by prevalence (how many affected devices are out there), by criticality (the seriousness of a vulnerability), by affected assets (it is common to prioritize some groups of devices over others), and finally, by our new threat score. A threat score is a 0-99 value illustrating the likelihood the vulnerability is being exploited. Threat Intelligence introduces a new level of insight in prioritization. Most exploited vulnerabilities see a CVSS score between 4 and 7 which would make them outside a typical prioritization that focused on criticality alone. In fact, if you look at the top 20 biggest software vendors, they only represent about 20% of last year's exploited vulnerabilities. SVM with the Threat Intelligence Module and the new Vendor Patch Module work great together by helping you to better prioritize the many patches now at your disposal. And to that end, there is a promotion on now for the first 100 customers who purchase the Vendor Patch Module: We will provide a free year of the Threat Intelligence Module. Contact your customer support manager or sales representative today to take advantage or contact us here. Resources Webinar Registration Datasheet List of Patches Included Documentation ... View more