Setting zero CVEs as a target is unrealistic and potentially harmful. Achieving zero CVEs may lead to compliance but neglects broader security concerns. Vendors claiming to ensure zero CVEs should be approached with skepticism. Constantly pursuing zero CVEs often entails upgrading software, which can introduce new features along with new vulnerabilities and stability issues. Therefore, while remediating known vulnerabilities is essential, striving for an unattainable zero CVEs status can obscure more significant security challenges and lead to negative consequences.
Chasing the goal of zero CVEs may tick off some compliance check boxes, but it will not fully address the evolving and holistic threats to enterprise security.
The very act of trying to achieve zero CVEs could actually increase vulnerability if the security big picture is ignored.
Zero CVEs is a term being bandied about as cyber security nirvana - the notion that software has no identified security vulnerabilities.
The only way to get close to zero CVEs at scale is to always upgrade to the latest upstream code, which leads to new features, new bugs, and other changes.
Collection
[
|
...
]