We use Rapid7 to continually check all our Apps against vulnerabilities. Use that, or something like it (e.g.: MetaSploit, W3GF, Nipper, Nexpose, Nessus, etc.) to test all devices and applications BEFORE they are put on your network.
When problems are discovered, identify they are not false positives and then correct the issues--or take the application or device off the network entirely until it can be made safe again. Use a "No Exceptions" policy for this.
rschroeder do you remember if you had to deal with any false positives for java jre? We use the same tools and we keep getting told that we have a java jre vulnerability. Solarwinds has confirmed that the Job Engine v2 does leverage java and there's no way around it.
Thankfully, our Security Team was tasked with the testing & distributing the results and required/recommended corrections. I don't recall receiving anything from about JAVA JRE, but that doesn't mean a concern wasn't found and corrected.
Your best bet is to run a security scanner on the incoming systems before they are put on the network, and then correct any problems before the devices are put online.
Then run the scans against all existing networked devices and create a remediation program to correct their shortcomings, weaknesses, and vulnerabilities. Such a scan and program must include ALL networked devices, including-but-not-limited to:
wireless
public/guest devices
kiosks
medical devices
security devices like cameras and badge readers
printers
EVERYTHING Bluetooth
Personal devices if they are brought into work and can access internal private networks or public external networks (these are often missed, and assumed safe--they're not). BYOD is a shortcut to being hacked if a great policy isn't built prior to allowing personal devices within a network/business, and enforced 100% of the time
servers
switches/routers/firewalls/access points
HVAC systems including anything with a wired or wireless network connection or a modem connection
fire detection systems/alarms
EVERYTHING IOT
the list goes on and on and on . . .
After you have the right scanning tool(s), a great policy for using them, and great practices for preventing vulnerable devices from being attached to the network, and for discovering legacy devices with problems that are already on the network, then you need to up your game and start scanning everything again. We used to do repeated scans of everything on the network on a monthly basis until most problems were identified and corrected. Then we dropped the "monthly" part and continually scan every address on the network. That helps reduce real-time vulnerabilities from growing over thirty days, and keeps everything running smoothly.
