Develop capabilities

I'm still skeptical about vulnerability management.

You already keep track of bugs with an issue tracker, and of threats with a threat model. Maybe you already track the progress of your security capabilities. Or maybe you should.

Why would you want to manage your weaknesses?

Capabilities are made of two things.

1. Tools - Servers, apps, dashboards, command-line utilities. The stuff.
2. Practices - The things you do. The actions that shape culture.

You develop capabilities so you know how to adapt in the face of change.

You see the bad thing coming. You react at the right time. You recover without breaking a sweat.

Track the maturity of your patching skills, not the number of bugs in your dependencies.