The question is: do we really need an employee in organization that deals with vulnerabilities in infrastructure on a full-time basis? Since this is similar to what I do for living, I would naturally say that yes, it is necessary. But as person, who makes security automation, I can say that there are some options.
VA specialist makes recommendations to remove vulnerabilities from your infrastructure using some tools: vulnerability scanners, vulnerability feeds, different news sources. In case of network vulnerabilities, he will most often tell your IT administrators: “Do we use A software with version BBB? As I see some security bulletin says that there is a critical vulnerability in it”. That’s it.
VA specialist by himself usually don’t patch the hosts. Moreover, sometimes he can’t detect the vulnerability, even he has an expansive vulnerability scanner, because some vulnerabilities can only be detected locally during authenticated scanning, and this IS specialist may not have permissions to do it.
Let’s look at VMware vCenter Server vulnerability CVE-2017-5641 (published 2017-04-13):
> VMware vCenter Server contains a remote code execution vulnerability due to the use of BlazeDS to process AMF3 messages. This issue may be exploited to execute arbitrary code when deserializing an untrusted Java object.
How does it look from the VA side?
With the same success IT administrator can simply subscribe to VMware vulnerabilities by himself and get information that it’s time to patch it before the VM vendor will even create a detection plugin. Much faster and more reliable!
In my opinion, for an SMB organization that don’t have an information security role, or have only one IT security specialist who in charge of everything, highly customizable vulnerability feed may give your IT guys necessary information what we need to patch. And is much more cost effective solution than a full-time Vulnerability Assessment specialist.
OK. Vulnerability feed will not tell us if we have vulnerable software installed in our environment. But VA specialist with expensive Vulnerability Scanner in many cases won’t be able to tell you about it either without help of IT. Why pay more?
So, how we can live without VA specialist and traditional vulnerability scanners, but with vulnerability databases and subscriptions. I see this stages of process improvement:
Basically, you can stay for a long on any stage. But going to the next stage increases the efficiency of the process. False-positives are also not so scary. It is better to upgrade without a particular reason than to miss critical and exploitable vulnerability.