For some, their favorite projects don’t roll into the shop one day and quickly rise to the top of the heap — they steadily grow into a favorite, like wine growing better with age. That’s what happened with Systems Engineer Warren Sinor when he was assigned a relatively routine task right after he began at InterWorks: An IT vulnerability scan.
The Scan
So, how’d this project land in Warren’s lap?
This has been a continuous project since I started at InterWorks. I actually got involved in my first or second month. They’re a large client we’ve been running vulnerability scans for over several years. It’s been a continuous improvement project. I’ve rebuilt the entire environment for the scanners and the appliance it runs on, as well as redefined the policies around that.
And what does the work actually entail? Well, on paper, it’s just supposed to be a simple scan of the client’s IT infrastructure for vulnerabilities. But Warren took it a step further:
One of the cool things I did with this project is address some of the gaps in how the client uses Tenable SE. It’s a great tool, but there wasn’t a good system in place to capture snapshots in time, make notes and say, “Hey, these are the vulnerabilities we’re working on fixing, and here’s what we’re seeing as of, say, November 1, 2024.”
When I took over, I created a process where I started exporting data from Tenable SE into Excel spreadsheets. We used those weekly to make notes, check things off and track progress. That worked fine at first, but even in the default Excel exports, some critical data was missing that would have been incredibly helpful.
For example, it didn’t automatically show how long a vulnerability had been known to the outside world, how long it had been present in our environment or how long it had been since it was last detected. These details raise important questions. Like, if a vulnerability was last seen on October 1, and now it’s November, should I care about it? If it’s no longer showing up, is it fixed? Or is that computer no longer on the network? There were a lot of unanswered questions like that.
What I ended up doing was automating the spreadsheet that I had been building manually every week for them. Not only did I automate it, but I also included more data that I was able to pull from the back end. I added some custom calculations, like how many days a vulnerability had existed and how many times it had been reopened. This really increased the spreadsheet’s usability for the client.
It was one of those projects where I got to do two things I love. First, there was the immediate gratification of seeing those new columns being used and appreciated by the team. Second, it involved automation, which is something I’m really passionate about.
This automation project is only one of the specific sub-projects that Warren undertook to automate, update and future proof his client’s IT stack — all under the umbrella of the IT vulnerability scan.
The Why
Warren alluded to it at the end of that last quote, but I wanted to drill deeper: Why was a simple IT vulnerability scan his favorite project of the year? Well, the answer is, more or less, that it wasn’t a “simple IT vulnerability scan” for him:
I think vulnerability scanning is really interesting, in-depth and fun. I enjoy the problem-solving aspect of it — sometimes it’s about critical thinking, like when there isn’t an immediate answer or there are multiple ways to address a vulnerability. It becomes a question of figuring out the best approach.
For example, there might be a device that no longer gets updates. How do we make sure it’s compliant, within standards or not vulnerable if we can’t remove it yet? Those kinds of challenges are really engaging for me.
Honestly, it’s great because it’s a continuous improvement effort.
And he talked further about the need for vulnerability scans, and keeping up with the ever-changing landscape of IT needs:
Some things are just too big to knock out in a week, and other things need constant attention. Vulnerability releases, for instance, never stop happening. You have to stay on top of it because the moment you close your eyes and plug your ears, you’re vulnerable.
Take Google Chrome, for example — they release a new vulnerability patch almost every month. Whatever they’re up to, it’s relentless. But even with that, I think projects like this are valuable because there isn’t really an endpoint. There’s no, “We’re finished.” It’s just a matter of continually making things better.
And I think that’s a great mindset to have for ongoing projects like this. With vulnerability scanning and related conversations, there’s never going to be a time to stop doing them, so there’s never going to be a reason to stop improving. We’ll never run out of time to make things better.
With an outlook like that, it’s no wonder that this is his favorite project of the year.
