Essential 8 - Patching Application Vulnerabilities.
Once a patch for a vulnerability is released by a vendor, it should be applied in a timeframe commensurate with an organisation’s exposure to the vulnerability.
For example, once a vulnerability in an online service is made public, it can be expected that malicious code will be developed by malicious actors within 48 hours, sometimes within 24 hours.
Essential 8 Maturity Level 2 Controls and our Solution.
| An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities. |  |
| A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. | |
| A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in online services. | |
| A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products. | |
| A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products. |
| Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. |  |
| Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist. | |
| Online services that are no longer supported by vendors are removed. | |
| Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. |
| Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release. |  |
| Patches, updates or other vendor mitigations for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within one month of release. |
Maturity Level 2 for Mission Critical and Legacy systems.
Agencies struggle to maintain Essential 8 ML 2 controls for applying critical patches within 48 hours, especially for Mission Critical and Legacy systems.
Virtual Patching blocks specific exploits via the WAF, enabling immediate protection against vulnerabilities for public facing services.