Is it possible to manage vulnerabilities without no budget? Well, basically yes. Most of the work in the Vulnerability Management process does not require purchasing any solutions. You won't need them to detect and describe assets. And also to discuss SLAs for vulnerability remediation (and preferably regular patching) with asset owners. And it's not that difficult to automate the creation of remediation tasks and tracking their statuses.
The main problem is vulnerability detection. It is difficult to imagine an organization's infrastructure for which the capabilities of free utilities will be enough. Unless only Linux hosts are used there and software is installed only from the official repository. Then OpenSCAP with OVAL content from your Linux vendor will be enough. 🙂
When using commercial VM solutions, there will also be "blind spots" - unsupported software or hardware installations. But if you use only free utilities, it will be one big "blind spot". 🙈
На русском
@avleonovcom #VMprocess #Detection
The main problem is vulnerability detection. It is difficult to imagine an organization's infrastructure for which the capabilities of free utilities will be enough. Unless only Linux hosts are used there and software is installed only from the official repository. Then OpenSCAP with OVAL content from your Linux vendor will be enough. 🙂
When using commercial VM solutions, there will also be "blind spots" - unsupported software or hardware installations. But if you use only free utilities, it will be one big "blind spot". 🙈
На русском
@avleonovcom #VMprocess #Detection