Another emerging use for VA scanning engines is validating the proper configuration of a system attempting to remotely access a corporate network. If the target system does not meet the defined minimum requirements, such as running all of the critical MS patches, it can be placed into a quarantine network or denied access.
COMMITMENT
While there are different ways of engineering a VA product, the challenges that will be faced in using them are much the same. In order for a VA product to reach its full potential, there has to be commitment to the technology, product, and process. Products within a given architectural area will carry nearly identical ownership implications. There are costs associated with the planning and deployment, such as monitoring scans and working with the vendors on resolving false positives.
Even if architects can find and fix all the vulnerabilities identified by any one of the VA solutions, the work is not done. There are still plenty of vulnerabilities out there, many kept as close secrets by those in the know. There are new low-level vulnerabilities that no one has found. Plus, even if a system has those vulnerabilities fixed, new software can re-install an old vulnerability.
In addition, black hats are moving up the stack; the new targets are application vulnerabilities. Most public Web sites contain internally developed code, and while the application server or Web server may be secure, there are usually flaws within the application itself. Passing a different value in a URL string or POST variable, for example, could allow someone to see another person's data. While this may sound rudimentary, it happens all the time.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
