Vulnerability scanning needs to be done continuously and there needs to be a process in place for what to do with all the data that the vulnerability scanner provides.
Once companies have started to run these scans they very quickly realize a couple of things:
- There is massive amount of vulnerabilities in their network.
- They do not have enough time, resources or service windows to be able to patch them all.
- The build in scoring (CVSS) will rate a huge amount as critical, so not even by limiting the patching to CVSS rating critical will make it to address them all.