Hello Qualys Community,
I have a philosophical question/discussion on how Qualys customers assign out vulnerabilities to remediation teams:
- Do companies have 1 asset owner and that team gets all the vulnerabilities?
- If companies use the 1 asset owner, who is the asset owner? Is it the Platform team or the application team? Or some other team?
- Do companies have split vulnerability ownership?
- Meaning, OS vulns go to the Platform team and everything else goes to the Application team?
- If you are setup this way, how do you split the vulnerabilities that are on different ports? For example, TLS v1.0 is on 3389 (Remote Desktop) and can be on 80 (Web). One would be for the Platform team and the other would be for the Application team.
- How do you do your reporting?
If you work a totally different way than the above, please let me know. We are trying to decide if we want to change up the processes we have in place. We use split ownership and use tickets to create our own reporting through the API. We have gone to this length because Qualys cannot/will not add the Due Date field in the canned reporting and Qualys does not have the ability to filter by port in the canned reporting.
Any suggestions would be greatly appreciated.