Continuous CVE scanning vs periodic patching: which one wins?
Patching alone is not security. Running apt upgrade on
a Sunday morning catches some vulnerabilities and misses others —
and the ones it misses are exactly the ones that bite. This post is
about the gap between patch cycles and continuous scanning, and why
the right answer is both.
What patching catches
A patch cycle works on a simple model: subscribe to upstream
security advisories, run the update tool weekly or monthly, take
the new package versions. For a Debian or Ubuntu host that means
apt update && apt upgrade picks up everything
in security.debian.org or
security.ubuntu.com as of the moment you ran it.
This is genuinely effective for the most common case: a CVE was
disclosed, the distro maintainers backported a fix, and you
installed the fix. As long as the lag between disclosure and your
next apt upgrade is short, you're fine.
Three classes of risk that patching misses
1. Software not in your distro's repos
Plex, Jellyfin, Sonarr, Home Assistant, Grafana, Portainer, Pi-hole
— most homelabs run dozens of services that come from third-party
repos, Docker images, or one-off downloads. apt upgrade
doesn't update them. A CVE in Grafana 9.5 doesn't get applied just
because your Debian is current; you have to update Grafana
separately, which most people forget.
A CVE scanner that knows what versions you actually run (read from the binary's reported version string, not from the package manager's idea of it) catches this.
2. End-of-life packages still in stable repos
Distros sometimes carry a major version of a package past upstream
end-of-life and stop backporting fixes. Debian 11 carried Node.js
12 long after Node.js 12 reached EOL; Ubuntu 20.04 carries
python3.8 well past its upstream sunset. apt upgrade
reports those as "no updates available" — technically true,
catastrophically misleading.
A scanner that compares your installed version against upstream-CVE data (not just the distro's curated security feed) surfaces these gaps.
3. Configuration vulnerabilities
No package update will fix an exposed Grafana login page on a
public IP, an SSH server still accepting password authentication,
a TLS endpoint serving TLS 1.0, or a Redis instance with no
authentication bound to 0.0.0.0. These are
configuration issues. A scanner that runs network probes — port
scan, TLS handshake audit, HTTP-header inspection,
admin-surface fingerprinting — catches them. A patch cycle never
touches them.
The disclosure-to-patch gap
Even when a CVE is covered by your distro, the timeline between disclosure and a backported fix can be days, sometimes weeks. Look at the OpenSSL "spooky" CVEs of November 2022 (CVE-2022-3602 and CVE-2022-3786): pre-disclosure window of one week, backports landed within hours of public release for Debian and Ubuntu, but every host that hadn't been updated in >7 days missed the window.
Continuous scanning closes this gap by telling you the morning after disclosure: "your host has openssl 3.0.7-x, the fix is in 3.0.8-y, here's the upgrade command." You don't have to be subscribed to USN-XXXX or DSA-XXXX mailing lists. The scanner already knows.
What continuous scanning catches
- CVEs in third-party software your distro doesn't track.
- EOL packages your distro hasn't dropped yet.
- Configuration regressions (firewall rules drifted, TLS settings reverted, SSH password-auth re-enabled).
- New CVEs that landed since your last patch run, before your next one.
- Cross-host inconsistencies — one box patched, another not.
None of those are caught by apt upgrade. Some are
caught by unattended-upgrades; most aren't. Almost all
of them are caught by a CVE scanner that runs nightly and reports
the diff.
The right answer is both
Continuous scanning is not a replacement for patching — it's
complementary. The job of the scanner is to tell you what to
patch; the job of apt (or
unattended-upgrades, or your config-management tool of
choice) is to actually apply the patches. Without scanning you
don't know what you're missing. Without patching you can't act on
what scanning tells you.
What "continuous" means in practice
For a homelab, "continuous" doesn't mean every minute. It means:
- Daily-ish CVE feed updates — the database the scanner matches against should be no older than 24h.
- Nightly host scans — every enrolled host gets re-inventoried and re-matched once a day.
- Diff-from-yesterday reporting — you should only see what changed since the last scan, not the same 200-row list every morning.
- Critical-finding alerts — for the small subset that warrant interrupting your day.
That's the cadence Noxen ships at — daily feed updates on the Live Feed tier, scheduled nightly scans on the one-time license, push-notification alerts on critical findings.