var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', 'securityeverafter.com']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();

Thursday, June 23, 2016

An Approach to Vulnerability Management

I recently posted the below on the SANS Internet Storm Center.


No need to do anything to make your auditor happy than to purchase the most popular scanning tool

No need to worry, when the scan is over and the report has been produced - you are all done

No need to ever leave your cube and speak directly with your system administrators

No need to ever test the scanner on a non-production network in advance

No need to worry, a clean scan means you are both compliant and secure

No need to ever leave your cube and speak directly with your application developers

No need to ever let anyone know when your scan starts, after all an attacker is not going to do that so why should you

No need to worry, if something becomes unavailable during a scan it is totally not your problem


No need to show good stewardship after the purchase by producing metrics such as the percentage of findings that have been fixed as a percentage of all the findings

No need to seek data that demonstrates your scanner could serve as a platform to improve your security posture

No need to keep your boss informed of your progress, s/he would not understand 

No need to divert any of your time from finding things to fixing things

No need to ever think that your scanning tool is every anything but spot on accurate


No need to hold back, it would be great if you shared your Vulnerability Management “best practices" in our comments section below


Russell Eubanks

No comments:

Post a Comment