Does your Security team just dump vulnerabilities on you to fix asap

[-]

hitman133295@reddit

Yep, they have these fucking scans on daily and the moment MS released patch Tuesday, they all be like why you got spike fix it yesterday. Like mofo give it sometime to test too

[-]

flashx3005@reddit (OP)

Ha yea man I hear ya. Good to know we're not the only ones lol

[-]

It's no fun for them either. Imagine being responsible for security when the people that own the problem take the time to post about being harassed by security instead of fixing the security vulnerabilities that they need you to fix so you don't get compromised.

[-]

flashx3005@reddit (OP)

What happens when these vulnerability patches affect business applications? There's no digging into why or how app A is running or what would happen if a patch is to be applied to it.

teflonbob@reddit

Yes. We have a crack expert team that are experts at using tools to find vulnerabilities for them but have almost no ability or confidence to fix things or explain the issue outside of what the tool tells them. It’s frustrating we’re basically creating an industry of tool watchers and not people who actually fix things

[-]

DramaticErraticism@reddit

lol, right. These aren't crack experts by and large, they just use expensive tools the business purchased and then send another team a ticket to work on.

These aren't brilliant minds using their skills and intellect to triage, they are buying a platform and clicking buttons.

[-]

LUHG_HANI@reddit

Question is, why the fuck are they even in a job? Just add to the IT team and dish out the new role as a general job. Like updates because that's essentially what it is now.

[-]

BoltActionRifleman@reddit

Sounds like they need a meeting with The Bobs…

gif

[-]

CornBredThuggin@reddit

That's my exactly what my Info Sec team does. We have a regular meeting to go over the vulnerabilities. The guy leading it copies and pastes findings from other researchers. He'll regularly get confused in the middle of the presentation, because he didn't bother to proofread.

[-]

teflonbob@reddit

It’s all performance art these days. Appearance of knowing your job.

[-]

wintermute000@reddit

Infra shitting on securiteh for not having a clue about how anything works or the context of anything is IT 101.

[-]

ButtThunder@reddit

This is the problem with security teams that don't have an IT background. We classify our vulnerabilities based on the threat to our environment. If a critical vulnerability comes out for a python library, but the lib lives on a system without public exposure, is VLAN'd off, and does not run on or laterally access systems with sensitive data, I might re-classify it as a medium and then the sysadmin or dev team has a longer SLA to fix. If we need help tracking it down from our sysadmins, we ask before assigning it. Pump & dump vulns piss everyone off.

[-]

mirrax@reddit

The other side of the coin is that even with an IT background trying to critically think about every vulnerability is more effort than just updating where possible.

[-]

hkusp45css@reddit

I've done professional InfoSec for 20 years. It has NEVER made any sense to me that some orgs will run down every CVE they can find to remediate.

Patch, protect your edge, manage directional network traffic, get a decent SIEM, have decent endpoint protection and validate all that shit.

Elegant simplicity is much, much more secure in any state than complex security platforms generally are, practically.

The posture at my org is incredibly advanced for our size and value. However, it's dead fucking simple and that makes it effortless and sustainable.

[-]

alficles@reddit

Spot on! I may need to find one of those plaques. :D

[-]

It's a number game for C-suite to measure bullshit. "Look how good our teams are doing at remediating vulnerabilities"

[-]

hkusp45css@reddit

This is why every time my CEO says "it would be neat if we could see all of our security dollars on a report, or a screen in the hallway" I flat out invoke the "we can't expose that kind of data, even internally."

Because I'm not about to spend an hour a day explaining to the CEO why something they THINK should be green is red, or vice versa.

When a metric becomes a target, it stops being a measurement and becomes a goal. That's bad for everyone.

[-]

MBILC@reddit

But it looks good on our reporting tool that we have a lower score!

[-]

mirrax@reddit

On the flip side of that pithy comment, that score is useful tool as part of assessing risk.

[-]

MBILC@reddit

agree, part but not the sole thing, but companies will use that as a sole source of truth.

mirrax@reddit

You can and should just auto update most things

That's what I was trying to say. Spending time having someone think about whether or not they should be patched isn't valuable.

Like it or not pretty much every org has some hacked together piece(es) of shit that will nuke itself if it's updated.

This is where the effort in critical thinking should be spent. Consider the scenario, scanning tool says there's X number of vulns.

Scenario 1 (that ButtThunder is advocating for):

Security team that is staffed by all knowing wizards that understand all systems and their interactions analyzes every single vulnerability one by one and determines action plan.

Scenario 2 (that I am advocating for):

Scan list is passed to SME teams to patch what they can. Teams patching systems can have automation or release schedules as needed. Things that can't be patched away are identified by the team as exceptions. Those exceptions are evaluated in collaboration with the security team to assess, existing mitigations, risk profile, and effort to remediate.

[-]

randomman87@reddit

Middle ground I like is InfoSec is responsible for implementing patching plans with all application owners.

[-]

ButtThunder@reddit

Agreed, in larger environments it may not work due to too much complexity with fewer wizards. But I would hope that InfoSec communicates to the infrastructure teams doing the work the value of patching within SLA- usually due to compliance requirements. I probably shouldn't have assumed Op's org was small-medium.

[-]

mahsab@reddit

For some things, updating is trivial.

For some things - especially software libraries - it's a breaking change. And sometimes, it's such a big breaking change it can take MONTHS to update.

[-]

mirrax@reddit

For some things, updating is trivial.

That's what I was saying. Security identifying the list and passing it to SME teams to fix isn't the problem. Expecting Security to know all of what is or isn't trivial for all systems and libraries isn't reasonable.

Pass the list to the SMEs, let them patch the trivial and report the exceptions. Then security can work with the SME teams to spend the effort on critical thought on identifying the risk level and level of effort to remediate, working with management to allocate time and resources as needed.

[-]

mahsab@reddit

I think the best path would be somewhere in the middle.

Security would make a list, go through it and, where available, already extend it with information that would make remediation and risk identification easier.

I'm on both sides, and when I identify a vuln., I do some basic digging and try to find (and share) at least:

is there a patch available (and where to get it)
is there a patch for the same minor version
is there a specific upgrade path for the version with the fix
is there a workaround available
etc

In that way it does not steal the focus of the other teams, because they can plan and estimate this much more easily than if just a list is dumped with a high priority and then everything has to be dropped so it can be evaluated even on a basic level.

[-]

mirrax@reddit

Most of that information is usually in the reports generated by the scanners. And when it's not, the SME for the system or the patching tool is going to have a lot easier time getting the information. Depending on the size of the organization, those scans probably have multiple desktop and server OS packages, large number of COTS applications, network appliances, hypervisor or container orchestration platforms, container images, and internal application dependencies.

From personal experience, I remember some developers chafing because security gave them a long list of CVEs to fix on externally facing applications. One with a 9.8 CVE in it for Spring 5 for which the specific upgrade path is upgrade to Spring 6 (which is basically a total rewrite). But that list also had a bunch of OS vulns in their container image.

But they were responsible for their app, for that particular CVE it meant going through and inspecting code for behavior because it wasn't going to get fixed in Spring 5. But the pain of continuously checking that no one used that behavior in every release should be felt by that dev team. Same goes with the container image OS vulns, having to continuous rev base images that have 10-15 some false positives with packages that aren't even used but triggered in the scanner. With the pain in the right place, the developers had the ability to pick a different base image that didn't include extra packages and reduced the attack surface.

The same goes for the other areas, I don't think security should have to be in every single vendor's download portal and knowledge base and be expected to know everything. If some shitty appliance is a pain to update, the administrator of it should feel that pain and complain to their management that system should be replaced.

This isn't to say that knowledgeable security folks aren't worth their weight in gold. Because working across teams to do attack surface analysis and threat modelling, coordinating across teams to get the appropriate mitigations to manage risk is so important. But unless it's a small org where people have to wear all the hats, place both the accountability and the responsibility puts the pain in the wrong place on people, punishing the effort of reducing risk.

[-]

dougmc@reddit

But you kind of need to do both. Sure, stay up to date on patches. But when something new and serious comes out, you still should think about it might have affected you, and what you could have done to protect against it before it even became "0-day".

But it's more fundamental than that -- you kind of need to have security in mind when building and maintaining stuff. Not so much regarding specific vulnerabilities, but just security principles in general -- sanitize your inputs, disable unused services, lock hosts down as appropriate for their role, monitor for unusual activity, etc.

And I think that even the security guys tend to miss that when they don't come from an IT or development background. Still, they nag people to install their patches, and run scanning tools and send spreadsheets with the results, and that's useful too.

[-]

mirrax@reddit

Security undoubtedly comes in layers and you are right that reactively patching vulns isn't enough. However scanning for vulns and passing a list to get patched is low effort checklist activity that can identify places where additional layers are needed.

And honestly sometimes the nag is needed, own enough systems with enough dependencies and it's just not possible to know everything. And scanned list can identify places that can reduce risk and attack surfaces. Take a container image for example, building on a full distro has a greater attack surface than say scratch or distroless, a big list of vulnerabilities exposes the depth of the attack surface and can justify the engineering effort towards reducing it.

tl;dr No mindless scanning doesn't solve security, but it is useful.

[-]

dougmc@reddit

It's not your job to reclassify vulns.

[-]

bingle-cowabungle@reddit

This was always going to be the ultimate result of these stupid cybersecurity bootcamps, and security bachelor's degrees that they offer at community college which are just glorified ITIL and project management roles with a thin veneer of "security" attached to it.

Even funnier if the vulnerability was publicly released a couple years ago. They only just now found it on an external scan!

The comedy is that they themselves would have known about it a year+ ago had they been tracking vulnerabilities against the versions of code in prod. Which is plainly a feature of one of they tools they have. Have, but dont use properly, because the 2 folks who were trained on it left more than 6 months ago.

[-]

alficles@reddit

I once got pulled into an emergency meeting on a Friday afternoon. The team was trying to get an immediate RCA on a vulnerability so they could get approval for a Friday evening release. The team saw that a change ticket had been filed to rotate a key that had been exposed and immediately shifted into high gear.

Once I figured out what was going on, I informed them that this wasn't that urgent. The key protected something that wasn't terribly important and comprise would have been no more than a bit annoying. We should rotate it, but it's not a big deal.

The team pushed back and said that exposed keys have to be dealt with right away. That's when I pointed out that the key had been exposed for the last ten years and if someone had it and was doing bad stuff with it, they were probably done a while ago.

There are a lot of reasons it took ten years, but mostly because it was actually really hard to rotate it (genuinely terrible legacy design, nothing like it would ever get approved today) and the thing it protected wasn't a big deal so it got very low effort. The team pushed back, asking who had found the exposure and why hadn't they followed up.

I opened the ticket and showed them it was originally filed by the guy that was now the team lead of the remediation team, back when he was a junior engineer ten years ago. :D He had no recollection, which is quite reasonable.

Are you wanting the Security Team to be installing patches on your system (s) on their own??

[-]

Hotshot55@reddit

I'm more referring to them finding vulnerabilities, giving you the list and telling you to fix asap without any help from them.

I mean that's kind of the point of you owning the OS, you get to define the remediation process for it. You are supposed to be the subject matter expert.

Would you rather have the security team give you exact instructions on "fixing" things even if it'd make your environment unusable?

[-]

Ultimabuster@reddit

Maybe it’s different at other orgs but at my org that seems to be like 95% of what the security team even does. They could be replaced by an automated report from the CVE scanner

[-]

flashx3005@reddit (OP)

They'll list the remediation but don't understand the consequences of such. I don't mind the work but more collaborative efforts would be better. Them finding 20 vulnerabilities and to fix those asap on top of everything else isn't helping anyone. That's my gripe is lack of support.

[-]

FanClubof5@reddit

We are there to manage risk so if you end up with a vuln that you as the expert think is not reasonable to fix then usually you just need to submit a risk exception and make sure that management all signs off on that.

[-]

flashx3005@reddit (OP)

Fair point. Maybe it's me but it's just feels like they give a list, say fix it and report back. Seems like just another upper level mgr telling me what to do without the support. That's probably what gets me annoyed the most.

[-]

BeanBagKing@reddit

They'll list the remediation but don't understand the consequences of such.

That's to be expected. I see a lot of people bemoaning security teams that have no idea how to patch something in this thread, but even a technical security team can't be systems experts on everything. A reasonably size business might have a person or two each for Linux, Windows, network, hypervisor, and databases. Some roles might cross, e.g. the Linux guy takes care of databases too. In general though, unless it's a very small company, you wouldn't expect one person to be doing all of those jobs. Never mind the actual software that resides on those systems. That is why the actual application of the fix gets handed over to the system experts.

One thing I noticed here is that you haven't really said what you do want help with. The technical buck stops with you, so what support do you want from them? I'm not saying there isn't anything; there are ways they could offer guidance or help, but there isn't enough details here to tell specifically what you want.

I can't tell (coming from the security side) if there is something wrong here or not, it's highly dependent. Are they pushing 20 vulns to you and saying fix these all asap because they are actually things that are really bad and do need to be fixed ASAP? Is it 20 things that aren't so bad, but indicate a larger underlying problem (e.g. Windows not being patched)? Or are they 20 esoteric libraries across that many systems that are all behind a firewall? Is the list of remediation there because the report included it so why not, or are they are genuinely trying to be helpful (regardless of the report inclusion)? i.e. what was the intent?

It sounds to me like there does need to be collaboration, but that needs to come from both sides. They need to know how they can help you, and they need to provide that help. At the same time, it's likely that they need help from you beyond applying fixes (whether they realize it or not) in the form of what is important so they can prioritize things. For instance, which systems are business critical, which systems hold the keys to the kingdom or can't be down for more than 30 minutes? Versus those that can go down for a week or more without any serious disruption. Both teams probably also need help from the application and data owners to decide these things.

As other people have mentioned, you also need a set of policies to help guide all of this. How many business resources does the company want to put into vulnerabilities. How many of these resources are yours (your time), and how many come from security? It's not in the business's best interest to have either side hand verifying every CVE (/u/alficles 's post was great, please read it). E.g. mass patch what you can regardless and then circle around to whats left. At the same time, if everything is a priority then nothing is, so the security team should be able to assign priorities and determine false positives when you get to that stage. These priorities may also be adjusted by your input. There should also be a process for going outside the expected SLA/priority. "This major thing just hit the news" kind of issue.

My suggestion would be to make two lists. One for your manager and one for the security team.

How can your manager help you? e.g. How should you allocate your time, who should be assigning work to you, should there be a policy. These are all things I feel like they should be handling. "You should be spending X hours on this, it's fine for security to assign you X hours worth of work, there's no point in having a middle man here. If it goes over, it has to come through me. I'll work with security to draft a policy", etc.

How can the security team help you? They probably aren't going to know how long something might take to fix, so with that in mind do you want them just to give you one thing and you work on that until hours are exhausted or it gets fixed, then get another? Do you want them to give you a priorities list and let you work through it? Is there additional information they could provide? What do they need from you?

[-]

alficles@reddit

Right. It's not their job to understand the consequences of the fix, usually. That's usually your job. They can tell you all day long what an RCE is and why you want to get rid of it, but they won't be able to tell you whether it's ok to reboot your server or what would happen if you disabled the HTTP redirect.

It sounds, though, like you don't have priority alignment. If management wants you remediating security findings, they may need to tell you which other work to not do. Or they might have to hire help.

The comment above (or below, who knows what votes will do? :D) about having SLAs is also important. That said, I think a lot of teams have SLAs that are longer than the risk justifies. I've seen the systems of a small business compromised by threat actors because they waited 48 hours to apply a patch for a CVSS 6 (medium) CVE. The risk may be low, but it's never zero.

[-]

short_tech_support@reddit

If you're understaffed and overworked your criticisms may be better directed more towards management.

Focus is o n monthly patching, which brings the amount of vulnerabilities, on an OS level, every month down to zero.

Server owners get, also monthly, the list of vulnerabilities to address.

There are not constant follow ups on the later, wouldn’t be possible, but based on policies (bla bla) the server owners are held accountable. So in case something goes wrong….

Well and for real critically (9+) there ARE follow ups with upper leadership + isolation VLAN if not resolved.

[-]

ReptilianLaserbeam@reddit

I mean, if there’s a vulnerability that needs to be fixed the whole company, your livelihood, is at risk. So yes, that needs to be fixed asap. Put aside everything else and focus on the task at hand.

[-]

tonkats@reddit

Our security guy dumps stuff on me with no plan. Last year, he hired another bro to go to meetings with him to get swag and look important. Sometimes he buys expensive products that do the same things our other products do.

I've worked in orgs that function that way. I've also worked in orgs where someone has to elevate a security/cvs/kb/urgent impactful fix in Change so as to process it as a low-planning event.

I probably just prefer to be left alone but its sort of part of the whole risk management thing.

[-]

Neat-Researcher-7067@reddit

im not setting up an app/architecture thats not mine, and its the app owners responsibility to do things correctly according to proper standards in order to follow policy, assuming your organization is mature enough to have standards and policies.

what ends up happening if you "hands on" fix everything is people become lazy and just whine at you to do it for them, and get mad because you dont tell them how to do their job.

technically, as a security guy, your job is TO ONLY say "no this is not right, do it right"

if you wanna be nice and provide the "no, but..." answer, thats also good and preferred.

long story short, dont take on additional work just because of your coworkers incompetence

[-]

Live_Bit_7000@reddit

I want to be a security guy to boss others around

[-]

SafetyWorking3736@reddit

lol, typically we can only boss people around if we have a governing authority practice to enforce that supports our authority, if not, then what ends up happening is a breach because Tim wanted a PowerPlant accessible from his home office

[-]

Reverent_Revenants@reddit

This thread made me realize security guys must perceive admins the way admins perceive users.

[-]

Lol. My security guy can't even determine if a vuln report from nessus is even a real risk let alone address if it's real.

We are constantly bugged about low priority bs 'vulns' like appliances used by our team and only our team with SSL problems. Like self signed certs. Or other internal things we can't configure without HSTS.

Like guy, I'm working three different positions and everything I do is being marked as top priority from management and due yesterday. I don't give a rats ass about HSTS on some one off temperature sensor that's barely supported by the manufacturer anyway. We already put controls in place to mitigate issues. You know this, or should anyway.

[-]

alficles@reddit

This is a management problem, not primarily a security one. Of course your security person isn't an expert in your system specifically. And if the security team isn't being driven in alignment with the needs of the business, then management needs to set them straight. If management, though, has told them that all your certs need to chain to a public root, then they're following the instructions they've been given. If management then doesn't give you the resources to do the work they want done, then they have set you up for failure.

I've seen some places issue sweeping mandates for stuff like "everything must use TLS" because they conclude that it's cheaper to force everything to comply than it is to do the security analysis required to determine which things should be in scope. Sometimes that's true, often it isn't. But if management never made bad decisions, what would they do all day? :D

[-]

PURRING_SILENCER@reddit

Yeah it's such a a small team that the security guy is part of the management team. He drives much of this conversation. And it's only him doing security with a lofty title of CISO. He's not qualified for it. Also there is no mandate for anything. I'm a level or two removed from leadership and I would be part of those conversations and likely inform them.

But in larger orgs your statement likely stands

[-]

alficles@reddit

Oof. Yeah, reading some of the updates here, the pile of CVEs is a symptom of a drastically more serious problem. I like computers cause I can fix them or throw them away. That approach is so much harder when the broken thing is a manager.

[-]

Angelworks42@reddit

Nessus is kind of bad as well - back when we used it, it seemed to have no ability to tell the difference between Office 365 and Office LTSC.

[-]

airinato@reddit

I don't think I've ever even seen an infosec department do more than run vulnerability scanners and transfer responsibility for that onto overworked mainline IT

[-]

These days I write more SQL than anything else. But I still give presentations on the history of physical security and it's fun.

[-]

SammyGreen@reddit

I’ve been a security consultant for almost five years and tbh it’s only a title haha.

I find myself doing standard infrastructure stuff but not being an idiot about it.

But hey, if clients want to pay premium just because I have the word “security” in my title, I’m not going to say no to more money.

[-]

Vynlovanth@reddit

Guessing it went from people who were seriously interested in the internal workings of systems and focused on drilling deep into vulnerabilities and malware, to now it’s a lucrative job that you can get some type of post-secondary education in, but the education doesn’t give you any sort of practical experience in systems. You don’t have to know what Linux is or x86 versus ARM or basic enterprise network design.

Don’t ask for ip any/any rules for your security scanner if you’re just going to use it to generate endless garbage.

There is a fuck ton of meaningful work you can complete very simply before you engage the sme.

Try logging on to the appliance with readonly or default creds. See if the version claimed shows in the help menu.

Try setting a password that should fail the policy. Etc.

[-]

tripodal@reddit

If you can write an exception for Bob to run a LinkSys router in his office, you can write one for the self signed cert on the PDU inside the jump host network.

Instead of re flagging it every time the security tools get swapped.

[-]

whopper2k@reddit

Ah yeah, see I'd agree that's basic due diligence and should be done before reaching out. In general, I agree with your sentiment.

I will point out that not every tool reports all the info one would need to do basic checks, and sometimes it requires a level of access the security team simply does not (and should not) have. Hell, earlier today I had to ask our FIM vendor why the hell it can tell me who changed a folder's permission, but not what permission what changed. I've also had to ask devs to figure out how to patch their containers because building the container requires access to some defined secrets like API keys and such.

It's give and take, as with most jobs. We all have work we'd rather be doing than patching, that's for sure

[-]

tripodal@reddit

I hear you, but I fundamentally disagree about the level of access security team should have.

A compliance team should not have access, a security team can be trusted as admins.

I realize having security focused admins is a wishlist; but the world would be a better place if security personal were engaged in applying remediations.

Chrome extension lockdown gpo deployed in test or to a beta group; hand it to the desktop team to send org wide.

Esxi vuln, let them apply patch or mitigation to exp or test env, document for sysadmins or oncall.

This is why I’ll never be in management, because steering a ship in this direction feels impossible

[-]

whopper2k@reddit

if only more orgs would take on "security champion" programs and bake security into every single team rather than having large sec teams. Cuz as it stands security teams are just as likely to be underfunded and overworked as any other team; we just don't have the manpower to handle patching at the scale you're talking about.

Definitely get your frustration though, it's annoying being a blocker to someone actually getting their work done. And way too many people in infosec forget their job is to serve the business objectives first

[-]

Pristine-Desk-5002@reddit

Sometimes it's not about knowledge of how to exploit but about nation state resources

[-]

goingslowfast@reddit

You hit the nail on the head. Security teams should be providing intelligence.

If they're just aggregating RSS feeds from security blogs or hitting start on a vulnerability scanner and sending you the results, I'll say somewhat satirically just replace them with automation.

[-]

Noobmode@reddit

The C in CVE doesn’t stand for ChatGPT, they already exist that’s why there is an issued CVE

[-]

Cormacolinde@reddit

Something a lot of security people these days seem to not know or ignore is that part of evaluation a CVE is to look at the CVSS and adjust it to your environment, risk and impact. Too many people just take the CVSS and run with it these days.

[-]

Noobmode@reddit

That’s a problem with process not the CVE itself though. Most people don’t have the time to try and sit there to go through manual calculations. That’s why a number of tools use custom risk scores with tagging to multiply impact to bring your highest priority systems and vulns to the tops of reports automatically

[-]

tripodal@reddit

Just because someone attributes a valid CVE doesn’t mean it’s real.

Dozens of ours explaining that we moved out of that datacenter 9000 years ago and to stop scanning those IPs

[-]

Noobmode@reddit

How are they scanning data centers you don’t own, that makes zero sense to me. If you left the data center you wouldn’t have a network connection, that sounds like tech debt and zombie networks that need to be addressed. That’s still a finding.

[-]

mirrax@reddit

They are scanning Public IPs grabbing versions off the web servers. Not the saner method of running an agent on all internal servers and just externally scanning appliances.

[-]

tripodal@reddit

Because some scanners grab all of your dns entries, then scan all IPS associated with them, then grab all SANs on those certs, then grab all those ips.

Then they correlate a historical database of all ips and dns that were ever associated with you.

Security scorecard gotta look as scary as possible.

[-]

Noobmode@reddit

Security Scorecard is a scam.

[-]

[-]

progenyofeniac@reddit

I had them come to me with a vuln identified by some scan: cached credentials. They wanted the value set to 0. No cached creds at all, ever.

Our workforce is entirely remote and using an SSL-VPN that they only sign into after logging into Windows, on domain-joined machines.

We had multiple meetings where I explained why they couldn’t do this, why we’d first need a different VPN solution, etc etc etc.

Engaged in what way?

How is the collaboration like?

"Nessus has detected such and such false positive for the billionth time, please reply back with distro reference material indicating that these same vulnerabilities have back ported patches. No we will not group these false positives together and no we won't work with you to ensure fewer false positives are reported in the future."

"Version 2025-05-22 of security policy xyz has been updated and supercedes version 2025-05-21 of the same policy. We've added a dozen new items your department needs to comply with ASAP."

Curious on how you guys handle these types of situations.

Complain to boss about needing additional workers to comply with the security team's directives. Get told there's no funding for that. Drink more.

[-]

flashx3005@reddit (OP)

Complain to boss about needing additional workers to comply with the security team's directives. Get told there's no funding for that. Drink more.

Basically it's best to get everyone together and talk through these things.

[-]

PhillAholic@reddit

Like for example if an edge firewall had a vulnerability being actively exploited, then we would make sure the network team patched it ASAP.

We are a smaller shop, so Automox is used to catch what can be done automatically, and then they go in and do the rest by hand, for example, turning off SMB or what not by group policy, etc.

I use Rapid7 IVM for Vulnerability Scanning, as it has a great Dashboard, and their risk based system allows me assign whats critical, so my guys dont waste time.

They do, sometimes they're legit, sometimes their security software sucks. Donkeys

Example, when Chrome installs or updates, the version number for the exact same update can be different.

So when it updates pending the browser restart in the registry. It may list a version number that starts with something weird like 79, whereas the current actual version number starts with 135 I believe. So their security software will freak out thinking that they have a version of Chrome from like 10 years ago installed on their machine and their numbers jump into the millions for a problem that doesn't exist.

Or similarly, it will detect something as being old installed because there's a single stray file that wasn't deleted when the program updated, which literally has nothing to do with the vulnerability, but that's how their crappy software decides to detect it.

So I will push all of those things right back at them.

[-]

weetek@reddit

This is so dependent on team size and function. I think both sides like to point fingers but it's an unrealistic expectation of anyone to have all the knowledge.

You can think of vulnerability scanners and the security teams like people who let car owners that they have a recall, in this case the NHTSA. That team would not be responsible for also fixing the recall, right? Not every car is going to be affected by this recall, but they can group cars together by year (vulnerability/CVE) it's up to the car dealership (and owner) to figure out whether it needs to be repaired.

An owner is responsible for a single car, or maybe a few. Sometimes in security we are dealing with hundreds of vulnerabilities and also managing other projects so it's very unreasonable to expect us to validate every vulnerability especially if we don't know how things are set up... maybe a product is using an outdated java library, that's what I can see but I don't know how it was configured or used.

Another side is leadership just wants to see numbers go down so security teams have to cast a wide net. At the end of the day everyone's just doing their jobs and if you want the security team to do yours then you will just get replaced by them.

[-]

flashx3005@reddit (OP)

Right I understand nobody can or should know it all. I also dont know how every app in the environment works or how all the apps related but I do my best to piece things together. In a small shop helping in a collaborative environment works better this way we all can see and in the case I'm out and they have a zero day to fix and patch atleast they'll have an idea of where to start and whom to contact app owner wise.

[-]

weetek@reddit

That’s a tough spot to be in, but it’s not the security teams job to dictate ownership. In our environment we have 1000+ people, through the process of elimination I can usually get to finding out what’s affected but it’s so time consuming. I did work on the IT team before though so I helped establish some ownership criteria, which helped a lot.

All the people who went to college during COVID for a "security degree" only know how to read alerts and forward them to other people to fix

[-]

Orestes85@reddit

I feel personally attacked.

Some of us are sysadmins, too, ya know.

[-]

Toribor@reddit

Our Security Team is constantly dumping extra work on me. Of course I'm also the Security Team so it could be worse.

[-]

bbqwatermelon@reddit

Your security team sounds like an asshole

[-]

AdolfKoopaTroopa@reddit

The whole IT department is a pain in my ass.

[-]

dave_pet@reddit

gif

Relevant

[-]

Kwuahh@reddit

Our own worse enemies

[-]

trobsmonkey@reddit

This is my entire job. Nothing but vulnerabilities. I'm sorry yall don't have dedicated teams.

[-]

hashkent@reddit

Yep. With a deadline of 2 weeks for high / critical, regardless if it actually affects us.

Bonus points for the 2 week change request lead time on some systems. So never meet the sla 🤣🤣

tacticalAlmonds@reddit

Does anyone else's security team lack critical thinking and is just a crew that exports alerts into tickets for someone else without reviewing said alert?

[-]

PhillAholic@reddit

I was asked to open up ports on my firewall because their security scanning software couldn't get into it.

[-]

many_dongs@reddit

This is normal and expected. You'd rather have your security team find issues than the bad guys in the event of someone accidentally exposing ports/dropping ACLs/other unexpected issues. It happens.

[-]

PhillAholic@reddit

Reviewing configs sure, but opening up a production firewall where it's vulnerable? I've never once had anyone ask for that before, including a handful of external security consultants doing scans.

[-]

many_dongs@reddit

External consultants are typically satisfied with attacker level access (no ports opened) and most importantly they will go with whatever the client wants

tacticalAlmonds@reddit

This was my point as well. Oh well.

[-]

27CF@reddit

at least you get tickets

[-]

moffetts9001@reddit

Yep. They blindly report R7 findings to us and fight with us when we tell them the findings are wrong.

[-]

Sasataf12@reddit

I've worked with security teams that have absolutely no technical expertise, and ones that have a lot.

dinosaurwithakatana@reddit

If anything this is going to get worse. Lots of people are scanning open source codebases with AI tooling to find vulnerabilities to collect whitehat bounties - which is causing a general increase in CVEs.

[-]

PhillAholic@reddit

If they are legit that's not a problem. 99% of the shit I have to deal with isn't legit or is not actually a risk. If something needs to be patched or workaround needs to be implemented I want to know about it asap.

[-]

MSXzigerzh0@reddit

And Vibe Coding is going to make it worse.

[-]

mellamosatan@reddit

Yes and we are graded heavily by that by the big dogs.

"Hey man this is red" is my joke about what their job is.

[-]

atw527@reddit

You have a security team?

[-]

deweys@reddit

Genuine question: How would you like them to help you? Should they be installing patches, updating VMware, etc?

[-]

whiskeytab@reddit

they could start by not sending out a monthly email about vulnerabilities that Microsoft have patched when our patching is already automated lol

[-]

digitaltransmutation@reddit

At the very least they should read the vuln's text and assess the asset to determine if the finding is valid. Would reduce our guys's ticket creation by around half.

Basically the problem with this transaction is that they generate a lot of timesucks that move the needle on nothing and I have the entire rest of my job that I need to do.

[-]

PhillAholic@reddit

Frankly these are the jobs about to be replaced by AI. The output can't get any worse, and blaming bad AI is easier than a human.

[-]

From the security side I'll also add that in a lot of cases it's not in either teams best interest to validate 90% of stuff. Vuln scanner says we need to turn off SMBv2? Are we using it? No? Patch test -> patch prod. It is worth literally nobody's time to either a) validate the output of the tool or b) justify why it needs to be turned off or what the risk level is.

Maybe 90% is hyperbole, but I feel like there's a lot of monthly patch vulnerabilities that follow this logic. I get it, it's a low priority finding and it's going to take time to patch, and because of that infra wants to know why this thing is actually a problem. Someone could validate that it's actually present and do a risk analysis and bring it to change control (ok, that one should be there anyway) and get an SLA assigned but look, I gotta be honest, it's just because it'll make the damn number in the dashboard go down by a bajillion points because it's on every system and then we can both brag to the CFO about teamwork and how happy the auditors were this year. So can we push the change to at least test and see if anything breaks?

But yea, after that, all the little stragglers and one-offs, it should be more than a CSV tossed over the wall.

[-]

Subject_Estimate_309@reddit

This is as much on operations as it is security. I’m happy to validate the output of my tool, but that’s gonna rely on OPS providing my team with the right visibility to do that. If the CMDB isn’t halfway accurate and I can’t login to see what you’re actually running, then the OPS team is getting a big CSV to sort through on their own.

[-]

themastermatt@reddit

Thats fair. In my last org, SecOps had full Domain Admin and Global Admin. For reasons. Still sent every CVE dump in the blind with "let us know when they are fixed, k thanks bye!". Further, they would then not listen to the explanation nor go look for themselves. 100% tool readers which is becoming pretty common.

[-]

Subject_Estimate_309@reddit

That’s a nightmare. In multiple ways. I’m so sorry

[-]

YSFKJDGS@reddit

Most likely they are not doing a true risk based security program. Yeah, your firewall shows a CVE of 9, or your server shows an RCE or something.

HOWEVER, the interfaces exposed to these vulns are behind strict FW rules, not exposed to the internet, etc... In which case those vulns are downgraded from a 9 to like a 7 or something, SLA adjusted because of compensating controls, etc.

All of the mitigating controls that adjust internal CVE numbers is how you start to actually show a mature program. 99% of the complaints here are because they do NOT have a mature program, and frankly both sides of the conversation (including rolling up to management) are to blame.

[-]

It's a balance. If I'm drowning in meaningless bullshit, the real ones are going to get burred.

[-]

lumirgaidin@reddit

Former Infrastructure Engineer turned TVM Analyst. Yes. And no. But also yes. Seeing it from both sides, without having some deep technical knowledge, a lot of OMGWOW CVSS 10 PATCH

[-]

SysAdminDennyBob@reddit

Yes, this is a common approach. It can become overwhelming depending on the Security team's operational nature. For example browser updates, there can be multiple of these per month. Some security teams want you to deploy these updates instantly, but then you look at your patching routine and it only runs once-a-month. In those cases I had my management address it

"The Patch Team patches once a month. Everything else is an out-of-schedule patch. You (Security) need to define when a CVE is bad enough that we would patch outside of our normal schedule, it should be very rare. Change Control should have to approve."

Further, Security is not allowed to send me a task if the update has not gone through the normal schedule yet. I set everything on Patch Tuesday and lock it down. I do not add anything more until next month. "Security, DO NOT send us a vulnerability that will get automatically patched with next month's regular schedule. No ticket at all, nothing in my queue, understood? You missed the cut off and it's not an urgent patch, you'll get it next month with zero effort from me, it's automatic."

Solutions to get out of the churn:

When you get a task and it has 10 systems that are missing an app update, don't just address those 10. Instead expand out your deployment to all systems that have that application. This prevents them discovering more on the next round of scanning. Do more than what that ticket asks.

[-]

natflingdull@reddit

out of date apps in old user profiles

Fucking Teams

[-]

andrewthetechie@reddit

Yup. Without understanding how things are actually vulnerable or not.

Newest fun is their tool doesn't understand ubuntu patch versions so they scream at me that SSH is vulnerable, even though its not.

[-]

RouterMonkey@reddit

I'm curious. Are you saying they should do your job for your (remediating your equipment) or that they should just ignore this stuff and leave you alone?

Their job is to find vulnerabilities, your job is ti manage the equipment under your control, including remediating vulnerabilities.

[-]

EraYaN@reddit

The problem is the tools spew like half bullshit findings… try them on any random node project and ooh boy. And you often just can’t do shit about it. Or it’s already mitigated because it’s only in test code etc. You you end up doing something for maybe 10% of tickets. But the research is 1 FTEs full time job on your teams of 2…

[-]

"Yeah, there was an issue with the uninstall package"

Our dev teams get the white glove treatment, infra gets spreadsheets.

[-]

Avengeme555@reddit

This has been my exact experience. In my past two roles InfoSec has been by far the laziest team and is constantly trying to push off work onto others.

[-]

securingserenity@reddit

There may be other reasons you call them lazy, but recognizing separation of duties is not laziness.

Sometimes, yes, but they also get the same back from us on occasion

Most of the time they do their best to alert us to problems ahead of time, give us as much time as is possible, work together on exceptions, compensating controls, and other mitigating factors

We only need to work on remediating medium and higher vulnerabilities (PCI-DSS), they will also do everything they can to help us as long as we aren't shirking our responsibilities

They try and equip us with tools to get more info and to publish and share remediation instructions specific to our company, they are also involved in all of the planning and architecting discussions to ensure that security is top of mind so that problems don't get blown back in our face at the last moment

...Ok now that I'm typing it out I'm hearing that we actually have a pretty great security team because security is a top-down concern for everyone, not an after-thought

[-]

Cryptic1911@reddit

Yes and it's fucking annoying. I get it, I really do, since we got smacked with ransomware like 5 years ago, but they go to the extreme. They've got software up our ass reporting cve's back to a dashboard and score all machines / companies on it. Then they harp on the smallest stuff that isn't a huge deal, basically wanting to have 0 cve's in the environment with like 20k machines, so it's never going to happen. It's just every day of "jesus christ. what now?". Security (and legal) basically owns the rest of IT, to the point that it takes like 6 months to get a software review for something we need. Forget just downloading a tool to help fix a situation. The days of just getting shit done are over

[-]

modern_medicine_isnt@reddit

I send the ticket back if it doesn't clearly state the vulnerability and how it can be exploited. It also must say what remediation needs to be done, in detail. And this is the one they often can't deliver... how will I be able to prove that it is fixed. Otherwise, I simply say it isn't actionable. That forces them to stop just throwing crap over the wall. A lot of the stuff turns out not to be exploitable in our env because of some other protection. So when they do spell it out, I can document that, and we move on. And if it does need to be fixed, they have provided the how, which makes it low effort.

[-]

many_dongs@reddit

I'm on a Security team currently that does this. Every team I've lead in the past did better than this.

Finding vulnerabilities is part of a successful layered security program and is legitimate work. Pretending that it doesn’t matter or shouldn’t be someone’s job is burying your head in the sand.

That said, ideally there is collaboration between teams.

We try to research what’s found and prioritize the most critical ones that appear to be lower complexity, are actively being exploited, have extra exposure in our environment specifically, etc.. We also try to do some legwork to find what the solution should be.

There’s limitations though as separation duties means we don’t have admin rights to run most things (which we shouldn’t), so yes the work of actually patching can fall back to admins.

Additionally, admins who own said systems should have some concept of how they work/how to patch them.

I've got security and ops on my team. Our security teams regularly drop work on the operations teams and that's just the reality of operating in 2025.

Security is about intelligence, not reading blogs or hitting start on a vulnerability scanner and emailing you the output.

Your security team shouldn't be replaceable with an RSS feed from Bleeping Computer, GBhackers, or similar. They should be flagging / prioritizing issues based on their knowledge of your environment. Your security team should be able to let you know where you have the vulnerable service or product installed, what services you provide that rely on it, and how critical it is to skip ahead of other work.

You need to be able to rely on your security team to tell you if this is a "FIX NOW", a "fix next release", or "put it in the backlog". That is the intelligence they should be providing, and it needs to be informed by an understanding of the impact that pulling the fire alarm for a vulnerability has across the organization.

> I'm a one man infra engineer in a small shop but lately Security is influencing SVP to silo some of things that devops used to do to help out (create servers, dns entries) and put them all on my plate along with vulnerabilities fixing amongst others.

You're becoming platform operations vs infrastructure engineer if that trajectory continues.

[-]

woohhaa@reddit

We had this issue at my old shop. The security team’s requirements started to consume most of our time causing project delays. We ran it up to the infrastructure director who then started pushing back against the security folks. They eventually budgeted for a security operations group to be put in place who took over all the tasks.

It was rough to start but as they got familiar with our environment and started to build connections with the right people it really took a lot off our plate.

[-]

flummox1234@reddit

you have a security team? /s

[-]

0DayAudio@reddit

Security person here. I understand your frustration, given a list with 0 priorities and just told to fix it is not what a good security team should do. However as sysadmin it's part of your responsibility to maintain the OS, patching included.

A good sec team will help establish SLAs for remediation based on a combo of CVSS scoring, actual exploitability, and environmental conditions. IE is the asset in question edge facing, in the DMZ, or fully internal.

False positives are part of the security life, there is never going to be a time with there won't be false positives and it should be part of the SecTeams process to help verify if the vulnerability is a real FP.

I spent 10 years being a penetration tester and one of the things I did at the company I worked at was work with the vulnerability team and the sysadmins to help verify if vulnerabilities were actually there or not.

I also helped educate the admins on why this stuff is important. An example of this, I had a DBA who managed a number of MSSQL servers in our environment, he was responsible for both the OS and DB stuff for these systems. He refused to patch because of various reasons, no time, uptime requirements, etc. There was a vulnerability a number of years ago where an attacker sends a malformed packet to the server and kills it. Instant blue screen of death. There was even a Metasploit module that fired off this attack for you, all you had to do is put in the IP address of the SQL box. After going back and forth via email and IM I simply just went over to the other building and sat in his cube with my Kali laptop and asked him to pull of the console of one of his servers then I showed him how easy it was to blue screen his box. His reaction was priceless, pure utter shock at how easy it was to mess with his server. I saw the light of realization in his eyes and as a result of what I showed him he became the biggest advocate for the vuln team and patching at the company. He even helped refine some of the processes and procedures IT used to make things quicker.

Bad/lazy teams exist and it sucks. My current job is at a company where the former sec team did the bare minimum, sometimes not even that, and were eventually fired for mismanagement and incompetence . I've spent the last year cleaning up that and helping educate the rest of ITOps on what a good security team can do for them.

The best advice I can give you is push back on them. Make them give you real SLAs, and prioritize what needs to be remediated. Get them to commit to real polices and not just an arbitrary, fix this list shit style of operation.

[-]

Zer0C00L321@reddit

[-]

meiko42@reddit

This reads to me as if security are just inventing problems and it's their fault somehow lol

[-]

SoftwareHitch@reddit

Wait, you guys are getting security teams?

All the time.

[-]

itmgr2024@reddit

Those who cannot do, do IT Security.

[-]

[-]

what would you have them do?

have you taken any of them out to lunch to get back on the same page?

What does your leadership expect of you when they report the vulnerabilities?

mrtealeaf@reddit

Yes, but only on Friday afternoons.

[-]

fluidmind23@reddit

The first pass of qualys identified 80k vulnerabilities. Most of them resolved themselves with updates that were automatic but there were like 5000 actual interaction tickets created that day. (127 year old global company with so much tech debt Microsoft should have repoed everything 10 years ago) I believe they are still working through them 4 years later.

[-]

bbx1_@reddit

What security vulnerabilities? oh, those terrifying alerts?

yeah, thankfully we don't have a vulnerability scanner so vulnerabilities isn't an issue.

Truth but not.

[-]

ez12a@reddit

We used to get pings from all sorts of people about CVEs. It was too much noise for our oncall. I created a chat with only the security team and the process is to create an incident task for tracking response.

Tldr we treat them like incidents/tickets/tasks to be completed, Albeit with higher priority of severe.

[-]

ElvinLundCondor@reddit

Security farmed out reporting to the QA team who clicks a button and sends me the list of vulnerabilities to be remediated. Problem is they don’t know the meaning of the report. I’ll get things like port 443 is running version X of apache which is vulnerable to CVE-Y. Upgrade to newer version of apache. Look up the CVE at redhat. CVE remediated at revision Z of the apache package, which is already applied. Try to explain to QA. Nope, you have to upgrade. Ok, configure apache to not report version. Ask QA to re-run the report. You’re clean, thanks.

On the flip side of that, Ive worked with great security people who’ve walked me through the issue. It normally doesn’t take that long. For example, I was once tasked with removing the MSXML parser from a few windows machines and I reached out and was like “can you explain the issue before I go down this rabbit hole? I can’t remove a system component on a production server without research into the impact so I need to understand how serious this is before I prioritize the research and time it will take”. The analyst was great: she broke down why it was an issue and explained how it opened up a pretty bad RCE type vulnerability. The whole conversation took twenty minutes

Is their job just to take a list of vulnerabilities from some tool and throw it over the fence to you?

musashiro@reddit

Sadly yep, even though its not something we should do 🤦‍♂️

[-]

fnordhole@reddit

Yeah, they don't vet whether the vulnerabilities match the target environment. For example, reporting Cisco vulnerabilities on a Windows 2022 server based on a default Nessus scan running from inside the network with domain admin credentials. They just copy and paste the boilerplate frkm the tool they use.

They're a bunch of six figure copy-paste monkeys who can do no wrong so long as they're making life difficult for everybody. So they double down.

[-]