In the past (at companies under PCI compliance) we've had a vulnerability scanner that runs at intervals (monthly or quarterly) and tells you what needs to be patched (or covered with paperwork, ie "documentation of mitigating controls.") It is updated with the latest CVE entries on its own interval, presumably before scanning.
The scanner may dump its output into a ticket system, or not. Depends on how you want to track the work. On Mon, Mar 17, 2014 at 2:23 PM, Phil Pennock < [email protected]> wrote: > What are people currently using for tracking status of security updates > of software which you depend upon in production? This is separate from > "apply vendor security updates" as it pertains to the items which you > build from source or with custom packaging, because it's a core part of > the line of business, or for whatever other reason. > > Just tickets in your regular ticketing system, perhaps in a special > queue? Something else? What sort of automation? > > Eg, a vendor security notice (Ubuntu USN or whatever) comes in; does it > tie into existing tickets with CVEs already tracked and handled, or is > it a new issue? Is it partly for something already dealt with, but > there's an extra CVE which was fixed and which needs a new rollout? > How do you track when you'll need customer/client notification, vs just > being able to hotfix? How do you track release qualification status? > > If you're using an existing ticketing system with some customisation, > are there any templates which you can share? > > Thanks, > -Phil > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ >
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
