Microsoft Adds Vulnerable Components Preview to Defender Vulnerability Management
Microsoft this week announced a preview of a new Vulnerable Components Inventory feature in its Microsoft Defender Vulnerability Management service.
The Vulnerable Components Inventory shows vulnerabilities in software on devices within an organization, such as open source Log4j and OpenSSL components in software that aren't up to date. The information gets displayed in the Microsoft Defender portal under a "Vulnerable components tab."
IT pros get a summary listed by "component name and vendor, the number of weaknesses found for that component, and if there are active threats or alerts associated with it," Microsoft explained. The feature is needed because it may be difficult for organizations to know that such vulnerabilities are present in software they use.
"As software systems become increasingly complex and software developers rely more on open-source software packages and commercial third-party software components, it has become difficult for security teams to keep track of and mitigate new vulnerabilities found within software being used in their organizations," the announcement noted.
Users of the Vulnerable Components Inventory will get "actionable Security Recommendations" on top of security prioritizations with this feature. It'll indicate "Attention required" for specific items, which is designed to alert teams and help them "explore their next steps."
Microsoft is pledging to expand the Vulnerable Components Inventory based on the "ever-evolving threat landscape and customer demand." It recently added WebP and Apache Struts 2 to its Vulnerable Components Inventory list.
Microsoft didn't indicate whether all Microsoft Defender Vulnerability Management users would be getting the Vulnerable Components Inventory as a standard feature. Last year, Microsoft rolled out a "standalone" version of the Microsoft Defender Vulnerability Management solution supporting all capabilities. Defender for Endpoint P2 licensees, who also have access to Microsoft Defender Vulnerability Management, needed to pay for an add-on to get the same capabilities.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.