Scanning assets for known vulnerabilities is a mandatory process in many organisations. This topic comes in the third position of the CIS Top-20[1]. The major issue with a vulnerability scanning process is not on the technical side but more on the process side. Indeed, the selection of the tool and its deployment is not very complicated (well, in not too complex environments, to be honest): Buya solution or build a solution based on free tools, define the scope, schedule the scan and it’s done. Then start the real problem: How to handle the thousands of vulnerabilities reported by the tool? Yes, be sure that you’ll be flooded by alerts like this:
Amongst this huge amount of reported vulnerabilities, how to spot the important ones and eliminate the noise? The process must implement a review of the vulnerabilities and analyse them in the context of your organisations. Indeed, a vulnerability reported in “red” or "critical" by the tool does not mean that it is really critical in YOUR context or at THIS time. All vulnerabilities must be addressed and fixed but we lack of resources and time so we need to prioritize our actions. To make this task easier, I would like to show you an interesting classification that I read from a vendor’s powerpoint slide. Vulnerabilities were classified into six categories:
[1] https://www.cisecurity.org/controls/ Xavier Mertens (@xme) |
Xme 581 Posts ISC Handler Mar 28th 2018 |
|||||||||||||||||||||
Thread locked Subscribe |
Mar 28th 2018 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!