Enterprise Security Weekly (Audio) Disruption is Coming for the Vulnerability Management Market - Tod Beardsley - ESW #425
13 snips
Sep 22, 2025 Tod Beardsley, VP of Security Research at RunZero and an expert in security, discusses the shortcomings of traditional vulnerability management. He emphasizes the failure of CVE-centric approaches and highlights the importance of addressing issues like default credentials and misconfigurations. The conversation dives into recent NPM supply chain attacks, the fragility of the ecosystem, and community-driven solutions. Beardsley also touches on the latest trends in AI acquisitions and the cautious embrace of agentic AI within the banking sector.
AI Snips
Chapters
Transcript
Episode notes
CVE Is Necessary But Not Sufficient
- CVE is valuable but incomplete; it focuses on publicly identified software flaws and depends on vendor recognition.
- Many critical risks like default credentials, misconfigurations, and end-of-life software fall outside CVE coverage.
CVE vs Malware Noise
- Issuing CVEs for malware-injected package versions creates noise and may be the wrong signal for defenders.
- CVE serves best as a shared dictionary, not a real-time threat-intel feed.
Start With Accurate Asset Inventory
- Get asset management under control before chasing every CVE or patch.
- Continuously discover and profile what you actually own so you can prioritize based on exposure.