Edit: Merge.io is no longer, however, will keep this up as part of the discussion around vulnerability management.

I’ve been known to say that vulnerability detection is easy—it’s vulnerability management that’s hard. There are too many tools available today that can tell you everything that is wrong with your security posture. The real work comes in finding the root cause of the issue, permanently eradicating it from your environment (as in changing configuration servers, patching gold builds, dealing with sleeping physical or virtual instances), and validating to everyone who wants to know that you were successful in doing so.


Time and time again, my customers complain about the challenges associated with getting clean vulnerability scans. In fact, that might be one of the more challenging things to get right in PCI DSS. If you run a small, relatively static environment with only a few servers, you probably don’t understand the problem I’m discussing. For those of you who have to deal with larger environments with multiple teams and stakeholders, getting that scan to a clean state can be like the herding of cats. Especially since the majority of you are trying to manage this process in Microsoft Excel while sharing versions with your team via Sharepoint (or marking up long PDF reports or trying to dink around with CSV files). I know all of you don’t do it that way, but I guarantee there are quite a few of you out there with your lighters in the air right now.

Enter the new Merge.io platform (edit: no longer available). Offered either cloud-based or on-prem in a virtual appliance, Merge.io takes your vulnerability data and allows you to slice, dice, assign, and validate your scan data automatically. Instead of trying to deal with thousands of rows in a spreadsheet or hundreds of pages in a PDF, you drop your scan data into Merge and it drops all the data into a unified backend format that you can do tons of things with. You can assign vulnerabilities to individuals to resolve, filter in an almost infinite number of ways, and you get a great dashboard that shows you your progress to your goal. Your management reporting is now just a click away!

Now, getting those clean scans is really the problem we are trying to solve. Merge.io gives you the ability to continue to import scan data into the same project automatically validate the vulnerabilities that have been fully resolved. Now the vulnerability is closed and validated using this closed-loop approach.

Do you only care about PCI-related vulnerabilities, or only want to see things related to Apache? No problem! Merge.io can only display those for you to assign and handle through highly customizable filters. Have thousands of vulnerabilities to chase down and validate? DONE! Merge.io handles validation for you to confirm that you have closed out those vulnerabilities through its closed-loop approach. If you are the person managing vulnerabilities for a large infrastructure footprint, this is a tool you need to check out as a way to help automate and scale parts of your job.

This post originally appeared on BrandenWilliams.com.

Possibly Related Posts: