The funny thing is…

You’re stating the problem with that whole sector.

I really wish product owners, researchers and tool creators had more actual real world experience on the remediation side. I think that’s the reason we have so many crappy tools.

- We need a better way of addressing business logic issues and sensitive data leakage which starts at the data model and flows from there.

- Within large organizations we need better risk data about vulns to aid with prioritization and remediation which is always the larger problem (sifting through noise)

- We need automated threat modeling tools that reduce a teams need to start from zero

Fundamentally a tool is a waste of time if it can’t tell you there’s “x% possibility of downtime or sensitive data leakage.”

Addressing the risk equation (r=il) where the impact and likelihood variables are baked into every tool and based in real world data is where we should be.

Until then, vulnerability scanning and management will continue to suck.