Managing software vulnerabilities is a universal problem.

While unknown flaws in code or system design are part of the vulnerability management process, responsible disclosure policies and bug bounties have greatly reduced the prevalence of zero-day attacks. Unknown security holes that attackers exploit are usually at high-value targets, such as Fortune 500 companies, government agencies and critical infrastructures.

NotPetya, WannaCry, Conficker and other well-publicized attacks took advantage of vulnerabilities that were publicly known and had available software patches. The use of known vulnerabilities is especially troubling for security professionals because these attacks can be prevented.

Companies haven't embraced the ever-changing software environments that have become reality. While technology providers have begun configuring their software to perform automatic checks to identify and install patches, IT departments have gone to great lengths to control software patching and releases and disable these automatic updates.

This need for control over the technology environment creates risk by allowing vulnerable software to continue to operate. The Equifax breach, which compromised the personally identifiable information -- including Social Security numbers -- of 145 million consumers, will become a case study for vulnerability and patch management. There's scrutiny around the timeline of events, and the company's vulnerability management process is being questioned by Congress, banks and shareholders.

Different goals Many companies view vulnerability management and patch management as the same process. While a patch management system is the most common method to resolve software problems, there are other valid approaches to mitigating the risk of exploitation of a vulnerability. The difference between vulnerability management and patch management lies in the goals of the two processes. The vulnerability management process is about risk management. Patch management is a software deployment process. The vulnerability management process is about risk management. Patch management is a software deployment process. In true vulnerability management, the risk mitigation may be the installation of a patch. A mature vulnerability management process evaluates the risks involved with the software flaw and makes risk-based recommendations relative to the potential impacts of resolving the vulnerability. This process helps companies prioritize known vulnerabilities that are released at the same time to determine which one is a higher business priority. A patch management system, by comparison, evaluates the impact of applying the patch and the resources necessary without much analysis of compensating controls that could reduce or even eliminate the business risk. If vulnerability management is performed properly, a valid mitigation of the risk may not require the application of a software patch. The Equifax attack highlights the importance of vulnerability management versus patch management. The company confirmed that an Apache Struts vulnerability was exploited in the breach. If the attack began after the patch for Apache Struts was available, a vulnerability management program could have tracked the vulnerability, evaluated the business risk and recommended various methods to mitigate it. Using this process, a mitigating control -- such as intrusion prevention, web application firewall or system configuration change -- could have been recommended even if a patch for the software was not available. Unfortunately, if a zero-day exploit was used before a patch was available, even a mature vulnerability management process could leave the company without the ability to defend itself in a timely manner, showing why a layered approach is still necessary.

Critical updates Companies struggle with updates to business-critical applications, such as enterprise resource planning and manufacturing planning and control systems; specialized equipment that performs a critical business process, such as industrial control systems and supervisory control and data acquisition systems; and large e-commerce infrastructures. Because these systems are critical to keeping the business operational, downtime equates to millions of dollars in lost productivity. To add to the complexity, many of these systems are either so critical they are not allowed planned outages or the system manufacturer has made it cost-prohibitive to keep them updated on the latest software releases. Usually, this risk is accepted at lower levels of management without the realization of the true impact to the company. And to compound the risk, business-critical systems use some of the most vulnerable software. Many companies fail to acknowledge the risk they accept by not properly addressing vulnerabilities caused by unplanned outages and breaches. A mature vulnerability management process evaluates the vulnerability, regardless of the availability of a patch, and recommends the appropriate risk-mitigation technique. Risk-based vulnerability management programs help businesses manage not only the risk that application flaws present, but also the risk of software patches. Risk mitigation strategies may recommend deferring patch installation in favor of implementing a compensating control. A risk-based vulnerability management approach begins with an inventory of business-critical systems. This inventory does not need to be exhaustive of every system on the network, although that would help tremendously. In many companies, a full inventory of all software is unrealistic. Starting with the most critical systems can protect businesses from catastrophic outages and losses.