There was some debate the other day in our office (not tech IT myself) about
what percentage of the infrastructure vulnerabilities in the nessus
repository are taken out the equation if you have a thorough patch
management policy for the infrastructure AND you scan the system before its
brought into operation?
Whatâ??s your view? What % of nessus vulns are addressed by scanning after
build process and addressing the problems, and then applying a thorough
patch mgmt policy from when it goes live?
Itâ??s been prompted by our auditors claims it is essential to run such scans
must be run every month as new vulnerabilities are found all the time â?? but
if they are patched, and stuff like default passwords / vendor back doors
were addressed after the build process, before it went live, then what other
kind of issues/events/activities cause a vulnerability that isnâ??t easily
addressed by applying patches ASAP.
We would probably fall into a â??mediumâ? security environment.
There must be more to it than this around vulnerability scanning. Your views
most welcome. Should the auditors give some flexibility and accept theyâ??re
recs are overkill, or do they have a point.
--
View this message in context: http://old.nabble.com/Vulnerability-scanning-routines---what-is-overkill
.-tp32311141p32311141.html
Sent from the Penetration Testing mailing list archive at Nabble.com.
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
There was some debate the other day in our office (not tech IT myself) about
what percentage of the infrastructure vulnerabilities in the nessus
repository are taken out the equation if you have a thorough patch
management policy for the infrastructure AND you scan the system before its
brought into operation?
Whatâ??s your view? What % of nessus vulns are addressed by scanning after
build process and addressing the problems, and then applying a thorough
patch mgmt policy from when it goes live?
Itâ??s been prompted by our auditors claims it is essential to run such scans
must be run every month as new vulnerabilities are found all the time â?? but
if they are patched, and stuff like default passwords / vendor back doors
were addressed after the build process, before it went live, then what other
kind of issues/events/activities cause a vulnerability that isnâ??t easily
addressed by applying patches ASAP.
We would probably fall into a â??mediumâ? security environment.
There must be more to it than this around vulnerability scanning. Your views
most welcome. Should the auditors give some flexibility and accept theyâ??re
recs are overkill, or do they have a point.
--
View this message in context: http://old.nabble.com/Vulnerability-scanning-routines---what-is-overkill
.-tp32311141p32311141.html
Sent from the Penetration Testing mailing list archive at Nabble.com.
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]