SecurityFocus

when to fix , when to not to fix the vuln. Jul 24 2010 07:02PM
a bv (vbavbalist gmail com) (4 replies)

Re: when to fix , when to not to fix the vuln. Jul 27 2010 11:08AM
Tony Turner (tony_l_turner yahoo com)

You need to put the findings in context. It's not enough to say "Fix the
vulns with highest score" as your pentester likely may not understand
your business well enough to know that the moderate vuln impacting your
mission critical system is actually a larger concern than the severe
impacting a less critical system, especially if it would be difficult to
use that system to pivot due to IPSEC rules or whatnot. Or perhaps you
have an external facing server that is highly vulnerable but has no
connectivity to your internal network (hosted by an external provider
for instance). It's still important to plug those holes (maybe for no
reason other than prevent website defacement) but until you understand
how your various systems interact with each other, their trust levels,
the criticality of core business processes and the system dependencies
there is no cut and dry answer. It depends. (God I hate that answer)

What I do is ask myself this, "If every system were equally vulnerable,
what would be my biggest fear?" Then I take my report and go look at
those systems first. Then go look at those systems that have an
established trust relationship with those systems (including clients) or
are managed in a similar fashion (example: commonly used admin passwords
that might get reused on more critical systems)

a bv wrote:
> Hi,
> Someone gave you a pentest report , or a basic tool scan report or
> you have done the scan. There are v ulnerabilities found and listed.
> How do you understand the vuln. and when do you try to
> fix it, or when you dont fix it?
> Regards
>
> ------------------------------------------------------------------------

> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

>
>

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]

Re: when to fix , when to not to fix the vuln. Jul 25 2010 06:40PM
Jason Ross (algorythm gmail com)

Re: when to fix , when to not to fix the vuln. Jul 25 2010 12:21PM
Robert Portvliet (robert portvliet gmail com)

Re: when to fix , when to not to fix the vuln. Jul 25 2010 06:01AM
Todd Haverkos (infosec haverkos com)