Meest recente aflevering
Vulnerability Overload: Making Prioritization Work in the Real World In this episode, Patrick Miller speaks with Kylie McLanahan, CTO at Bastazo, about the practical (and often messy) realities of patch and vulnerability management in operational technology (OT) environments. Kylie shares grounded insights into patching
Tijd: 35:36
In this episode, Patrick Miller speaks with Kylie McClanahan, CTO at Bastazo, about the practical (and often messy) realities of patch and vulnerability management in operational technology (OT) environments. Kylie shares grounded insights into patching challenges, the gaps between IT and OT remediation cycles, and the real-world implications of relying too heavily on scoring systems like CVSS.
The conversation covers CISA’s Known Exploited Vulnerabilities (KEV) catalog, exploring how it’s being used (and possibly misused) in prioritization workflows, and where the disconnects lie between policy directives and operational feasibility. Kylie also critiques the current state of vendor responsiveness, machine-readable vulnerability disclosure (CSAF), and the importance of asset and exposure awareness.
This episode is essential listening for practitioners wrestling with patching fatigue, program prioritization, and the tradeoffs between theoretical vulnerability data and applied security outcomes in critical infrastructure environments.
Links:
CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities
CISA vulnrichment: https://github.com/cisagov/vulnrichment
Vulnrichment, Year One: https://www.youtube.com/watch?v=g5pSVMnWD7k
CISA SSVC: https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc
Carnegie Mellon SSVC: https://certcc.github.io/SSVC/
CSAF: https://www.csaf.io/
VulnCheck KEV: https://vulncheck.com/kev
Kylie McLanahan on LinkedIn: https://www.linkedin.com/in/kyliemcclanahan/
Bastazo: https://bastazo.com
GUID: 6a074e89-d1c5-4aed-ab9e-cb34854d6c98
Releasedatum: 20-7-2025 18:54:36
