Can someone provide some information regarding the creation of a dynamic list with the "No Patch Solution" setting enabled? If I was to create a policy for ticket remediation with the below setting what are some of the implications that I would be facing?
We are trying to tune the Qualys VM remediation flows and would like to create some additional policies. A good example are QID's that have been added in Qualys for which the Vendor (Microsoft, CISCO etc) have not released a patch yet. Since the Vendor has not released a patch the logic is that our remediation team cannot work on this and that the ticket will be assigned and will start to age because no one can work on it. So I've been asked to come up with a policy for the ticket workflow where these "No patch" vulnerabilities are auto-closed after a scheduled scan.
Is this a good practice to follow?
Is there a better way to handle this?
What are the implications if I do this?
Will we miss something? Meaning do these "No patch solution" have any other type of solution?
Feedback would be appreciated.
ds0101 please permit me to weigh in on your post.
Is this a good practice to follow? In my opinion, No, this wouldn't be advisable based on the information you have provided. Here's why. Today, I performed a KB search on "No Patch Solution", Confirmed and Potential, Severity 1..5 and then I downloaded and pivoted the results. I have attached my spreadsheet in case you would like to use it to explore further. What I found was by suppressing just CVSS Base Score 8.0 - 10.0, you would exclude 754 meaningful, Critical, legitimate, vulnerabilities.
Is there a better way to handle this? Yes, I strongly recommend reaching out to your technical account manager (TAM) for support. A more in-depth conversation is needed. The development of a strong Vulnerability Management program requires an understanding of your security policy, standards, and guidelines and the use-cases that fall therein. Your subscription can be customized to match your program.
What are the implications if I do this? I have done my best to quantify the impact of such a configuration change.
Will we miss something? Guaranteed.
Meaning do these "No patch solution" have any other type of solution? Remediation can be a patch, a software upgrade, a configuration change, or a combination thereof. Patching is not the sole method of vulnerability remediation or risk mitigation. It is a component of a robust platform security program that includes, secure configuration and a well thought-out routine maintenance program.