We have recently completed a big patching exercise across our windows server estate yet the volume of vulnerabilities has not reduced as dramatically as we expected. Our Windows server people are not too pleased with this and it has caused them to question the accuracy/integrity of our scanning.
We do not use authenticated scanning, yet if I run patch reports it appears that we are totally up to date with MS Patches for operating systems, but have a residual amount of patches associated with Apache, MSSQL, Oracle and HP System Management. The Server management patches aside, this would back up the claims of our server folk who are only responsible for the OS and the hardware. We have other teams that look after the other stuff.
In discussing this phenomena with a consultant the other day I was told that this is not an uncommon situation and that in many organization windows server teams do not see much past Patch Tuesday, so I wondered if anybody out there would have similar experiences or could point me in the direction of publicly available material that would help me build an explanation for the server teams and also our management.
Interestingly I was reading somewhere recently that application vulnerability patching is now seen as the big area for improvement, so maybe there is some synergy here also