Firstly, Parag nice work on the Webex today on Vulnerability Management Metric.
I wanted to provide my thoughts and anticipation for NopSec's VRM platform automated availability of Progress as a Metric, as you touched on in the Webex. My organization (as a current NopSec VRM customer) manually requested these types of metrics in 2018.
Our manual request was the availability to measure the progress of the vulnerability remediation from one scheduled scan date (be it monthly, quarterly or bi-annually) to the next scan date. Our request was to be able to show the progress of the remediation of the vulnerabilities from 'scan 1' and identity separately the vulnerabilities from 'scan 2'.
Example of reporting that I would like be able to see in VRM portal:
Scan Date 1:
- Scan 1 Results: X Vulnerabilities found
Scan Date 2:
- Scan 1 Results as of Date 2: Details on which of the Scan 1 X Vulnerabilities were remediated and which of X Vulnerabilities were still open as of Date 2. (aka the progress from scan 1)
- Scan 2 Results: Y Vulnerabilities found. All Y vulnerabilities would be unique and new Vulnerabilities from Scan 1.
This will allow our organization to show how many vulnerabilities from Scan 1 were remeditated between scan dates and if we met our organizations remediation time frames. This can show the progress on the scan 1 issues, even if the total number of open vulnerabilities at Date 2 (sum of Scan 1 and Scan 2) may have increased increased from Date 1.
Please sign in to leave a comment.