Vulnerability Management can be a tedious and time consuming job of trying to sift through a never ending stream of new, old or undefined CVEs. It can be challenging to prioritize severity-based SLAs when default assessments are inaccurate: they don’t factor in the criticality of the affected asset, or understand custom infrastructure and existing mitigations and/or gaps. Ultimately, having low confidence in scanning results and reported vulnerabilities leads to alert fatigue and diminishes trust in the security team.

In our talk, we will lay out our team’s approach towards automating vulnerability management for our entirely cloud-based infrastructure and why standard industry approaches were lacking. We will discuss our work of centralizing all vulnerabilities and automating detection, risk assessment, vulnerability reporting, and vulnerability fix verification in a scalable manner. We want to share how we developed internal tooling that allows us to be vendor agnostic, not rely on default risk severities, and reduce operational work as much as possible.