How to see the software risks others miss in your IT estate

The risk window is the time between when a vulnerability is disclosed and when it's remediated. It has two phases: disclosure-to-awareness (how quickly you learn about it) and awareness-to-remediation (how quickly you fix it). With exploits now appearing in less than a day and average remediation taking 192 days, shrinking this window is the most impactful action security teams can take.

Since February 2024, the NVD has been unable to maintain a fully validated catalog of CVEs. It recently announced a shift to a selective model focused on US government priorities, which will result in less than 50% validated coverage. Organizations relying on tools that use NVD data downstream—such as Tenable, Rapid7 and Qualys—are inheriting those gaps.

Secunia Research independently tests, verifies and validates vulnerabilities across 74,000+ product versions. It delivers same-day advisories with verified CVSS scores, exploit intelligence and remediation guidance—regardless of whether the NVD has processed the vulnerability. The webinar shows a live example where Secunia's verified score was 7.5 versus the vendor's 3.3 and Tenable's 5.5.

Flexera Software Vulnerability Manager is designed to complement or replace traditional scanners by combining Secunia Research intelligence with lightweight scanning (700KB agent), prioritization based on threat scoring, and the industry's largest third-party patch catalog. It integrates with ConfigMgr, Intune, JAMF, WSUS, Tanium and Workspace ONE for automated remediation.

Software Vulnerability Manager can be fully operational within an hour of receiving the license. The lightweight scanner runs as a scheduled task, scanning executables, DLLs, OCX files and Log4j JAR files in under two minutes. Training and initial configuration support are included to ensure teams are scanning and prioritizing from day one.

Nathan Stevens 00:04 - 02:39

Awesome. Welcome, everybody, to tonight's in today's session, depending on where you're viewing this, particular webinar from.

Give everyone a few seconds to join, today, get into the Goldcast, motion, and get ready for the next, thirty minutes or so of, how to see the risk others missed in your software estate. So today, we're going to take a bit more of a deeper dive into what an overview, really, just a teaser of some of the capabilities within the Flexera stack that you may not be aware of and particularly focus on the risk.

Today, we're joined by Jeroen who's going to take us through the security, component of the solution. So welcome, Jeroen.

Thanks for joining us. So just get stuck in.

So for those that haven't, and it's maybe your first webinar with us, we have gone through a whole series of these as well. So this is the last nine in the series.

These are available, online in some in some capacity as well, so, you know, some links will be shared in a second, if you wanna do catch up and watch any of these on demand. Continuing on with the webinar series.

So, really, today, we're focused on how to see the risk others missing. So depending on where you're joining this from, you'll get access to this content on nineteenth or the twentieth.

Looking ahead for the next two months, in June, we'll cover proving ITAM value, so a bit of a look into how do you sort of elevate the conversations around ITAM to the c level. And in July, we're gonna take a focus on metrics that matter.

So really looking into FinOps and the type of metrics that you can surface to really drive home the value and ROI around, the FinOps technology there. So today, like I always start with these sessions, I just put the platform front and center.

And today's a little bit different in terms of where we're going to focus is kind of adjacent to, you know, that the platform. So we have some fantastic capability around security vulnerability research and from the security team and also around how do we do that, vulnerability remediation through security vulnerability manager.

So I'm not gonna go through and, bore you to death, with any of my talk today, so I'll hand over to Jeroen who's going to take you through the details, in this space. So over to you.

Jeroen Braak 02:39 - 30:03

Yeah. Thanks, Nathan.

So hi, everyone. Yeah.

Let's talk about security. So first, you know, security has no less than 70 categories, and each category needs specialists, budgets, solutions, and they're all as equal as important to everyone involved.

So, what we do with Flexera's risk management solutions, we focus on the three Magenta ones. Obviously, with, the Regionspod Security acquisition, we are able to also add cloud security.

And with our ITV or IT visibility solution, we can deliver a higher confidence in more comprehensive risk and compliance management, of course, depending on the requirements and expectations of the customer. So let's dive, right in into the vulnerability and patch management and what that means.

So first, you know, what is a vulnerability? A vulnerability is a flaw. It's a bug.

It's a weakness in the system design, and it can be exploited at some point. You know? Software vulnerabilities are also referred as a CVE, a unique identifier to each vulnerability, and one CVE could potentially affect just one or, you know, in most of the time, multiple products, you know, even up to 200, products can't be affected by one CVE or one vulnerability.

They're all registered through a, platform called the cv. org.

It's a semi, government agency out of The US, and it's also, covered in the NVD, the National Vulnerability Database, and all since 1999, so over twenty seven years now. And what we see is a is a huge increase in the number of, vulnerabilities.

It's it's increasing rapidly, and that's not only because, you know, we are getting better in what we do, but, you know, also what happens with the AI, with MyFalls, you know, we see that a lot of lower bids are being disclosed right now. Where in 2025, we had about a 180 vulnerabilities per business day.

Currently, here today, we are over 250 CVs per business day. You know, let that sink in.

How do you track? How do you know? And how do you keep up with that? And, you know, we also see that with our own dedicated market leading research team, Secunia Research. We see a huge increase in, like, we never seen before.

As you can see here, you know, the past few years, it's pretty mild, I would say. But, you know, if we look at this year, you know, the numbers are doubling.

And that that is that is, you know, mainly due to the LMS or, to AI or automation. But, you know, it is a concerning, situation that we're in because how do you cope with that? And as I mentioned before, you know, CV information is maintained by, you know, this database, cv.

org, and the NVD, the National Vulnerability Database. And normally, the NVD pushes or publishes actually CVs with additional information.

They do, like, analysis and making sure that, you know, that all the information is correct in there. But, unfortunately, during the last two years since February 2024, we see that NVD is no longer up to the task to maintain a verified analyzed catalog of CVs and making it, therefore, dysfunctional and unreliable.

But many organizations still use that free data downstream. You know, we see that in the 10, you know, tenables or rapid sevens, the Qualysys and all those, major traditional vulnerability scammers out there.

And, actually, three weeks ago, the NVD announced that they are moving to a more selective risk based model. That means that they only will focus on subset of the of all the products that they normally would care about.

And that is gonna be a huge issue. You know, they're only gonna focus for internal customers.

They're a US government. And that will result in a in a less than 50% coverage in the validated and analyzed and enriched information that the organizations are looking for.

There's great news for malicious actors, you know, because they can you know, the vulnerabilities will still be disclosed, but, you know, there will be less information for people to actually remediate them. So the malicious actors can build exploits faster and be more successful.

So, you know, what is an exploit then? So, an exploit is our worst nightmare. When a vulnerability is disclosed by a vendor or before they even know, right, a zero day, malicious actors have already started building so called exploits or proof of concepts that could lead to ultimately a ransomware attack, a malware, data theft, or even other costly impactful events that can cripple companies, industries, people at home, hospitals, people even died in the past because of breaches.

And, you know, even governments could be affected by it. And, you know, exploitation of no soft software vulnerabilities remains the greatest cause of security incidents.

And that's not me saying it, but it's the National Cybersecurity Center saying it. It's the Australian government saying it, and there are so many other authorities and compliance or, regulators out there for the industry, like Cyber Essentials Plus, Dora, NIST two, you know, all these in the list.

And some in some of these compliance rules and regulations, even that the board level people are being personally responsible for, you know, for fines or even losing their job. So it's very important that we keep track of everything and we try to do our best.

And the best thing we can do, of course, is to patch. Right? The patch is the data for modifying existing software resource as you can read.

But it's also very important because, you know, there are some problems with patching. You know, it doesn't come out as fast as we would.

And if it comes out, the problem is that, you know, you need to find the patch first. You need to know if it's applicable to your environment and then, you know, deploy it.

That can take sometimes, you know, days, weeks, even sometimes even months in some cases. And that means that, you know, the malicious actors will have access to your environment if you if you either if you know it or not don't know it.

But that could, lead up to, like, huge, you know, massive, exploits or or other negative consequences.

Nathan Stevens 30:03 - 30:49

Yeah. Perfect.

So I think I've answered some of the questions. We've been answering them in the chat, as we've been talking as well.

So thanks again, Jeroen, for joining us today. As, as we said, please reach out to Jeroen or I, if you wanna get some more information.

We've just added these two QR codes to point to the product pages on the Flexera website, to get some more details, but please do reach out, to us if you wanna dive deep dive into the solution. It's just impossible to get through absolutely everything in in the time that we have today, but, hopefully, this was a fantastic, sneak peek of, both of these fantastic capabilities, and, please reach out if you wanna know any more.

So thanks again, and thanks everyone for joining today.

Jeroen Braak 30:49 - 30:49

Thank you.