SecurityFocus

when to fix , when to not to fix the vuln. Jul 24 2010 07:02PM
a bv (vbavbalist gmail com) (4 replies)

Re: when to fix , when to not to fix the vuln. Jul 27 2010 11:08AM
Tony Turner (tony_l_turner yahoo com)

Re: when to fix , when to not to fix the vuln. Jul 25 2010 06:40PM
Jason Ross (algorythm gmail com)

Re: when to fix , when to not to fix the vuln. Jul 25 2010 12:21PM
Robert Portvliet (robert portvliet gmail com)

If they gave a you a good report you should have the vulnerabilities
listed in order of severity, in which case you should fix the most
critical (those that present the greatest risk) first, unless you know
of some compensating control that limits your exposure to said
vulnerability, in which case perhaps another vuln may be more
important to remediate first.

If the company\individual performing the pentest did not indicate the
severity of their findings, they did not provide you with a very good
test. They also should have presented heir findings in a way that
conveyed their risk to the business (ie: what an attacker could
achieve using these vulns), which should make it easier to decide
which are the most critical.

Now, in terms of tool output, most vulnerability scanners should also
present their output in terms of severity (usually color coded) & as
indicated above would want to fix the most critical unless you have
some compensating control, even then (depending on the vuln) it would
be a good idea to correct it after you have addressed your more severe
exposures.

On Sat, Jul 24, 2010 at 3:02 PM, a bv <vbavbalist (at) gmail (dot) com [email concealed]> wrote:
> Hi,
> Someone gave you a pentest report , or a basic tool scan report or
> you have done the scan. There are v ulnerabilities found and listed.
> How do you understand the vuln. and when do you try to
> fix it, or when you dont fix it?
> Regards
>
> ------------------------------------------------------------------------

> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

>
>

--

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]

Re: when to fix , when to not to fix the vuln. Jul 25 2010 06:01AM
Todd Haverkos (infosec haverkos com)