How much do you utilise vulnerability scanning tools at your job and how much does your team care about fixing them?<p>Do you handle internal applications differently?<p>Edit/update: Please mention your industry/sector as well.
We do have tools in every step of the sdlc so we can find issues as early as possible. Anything that is exploitable and left unmatched is a compliance violation so we take it very seriously. That said, exploitability is very (expensive) hard to proof, so in practice we try to mitigate via upgrading instead of long pointless discussions about risk. The second thing this forces us, is to look at complexity and tech-debt in a new light.
It's mandatory as part of the SDLC and support by appropriate tooling, unfixed higher level vulnerabilities are periodically tracked by middle-upper management
Tools in the pipelines detect and report on CVEs found.<p>We block high/critical by default and the rest are given a deadline to be resolved in agreement with security.