[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAEDdjHec==ND56YQccT_eXREGKkrAQNV0tgPSHrZe0euhigxnQ@mail.gmail.com>
Date: Tue, 13 May 2014 10:40:41 +0100
From: Pedro Ribeiro <pedrib@...il.com>
To: lists@...com.org
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] So You Like Pain and Vulnerability Management? New Article.
On 12 May 2014 19:48, "Pete Herzog" <lists@...com.org> wrote:
>
> "Hi, I’m your friend and security researcher, Pete Herzog. You might
> know me from other public service announcements such as the widely
> anticipated, upcoming workshop Secrets of Security, and critic’s
> choice award winners: Teaching Your Teen to Hack Police Cars, and
> Help! My Monkey is Posting Pictures to Facebook!
>
> But I’m here today to take a moment and talk to you about the pain of
> neglect, isolation, abuse, and infection, better known as
> “vulnerability management”. In many ways vulnerability management can
> be part of a healthy system and over-all good security. But there’s
> many important differences between vulnerability management and
> security that you should know about:"
>
> That's how my new article starts. 5 points on the pain of
> vulnerability management and how to make it hurt less. It's posted
> here:
>
>
http://www.tripwire.com/state-of-security/vulnerability-management/so-you-like-pain-and-vulnerability-management/
>
>
> Feel free to discuss with me on Twitter @peteherzog and #securitypain
> and #helpmymonkeyispostingpicturestofacebook ;)
>
> Sincerely,
> -pete.
>
> --
> Pete Herzog - Managing Director - pete@...com.org
Hi,
I fail to see the point of the article and I think you are making some
major assumptions here while at the same time stating the obvious.
First, who is the audience of the article? As a vulnerability manager
myself I find insulting that you think that I don't know that finding
vulnerabilities by itself without ANY other security controls will make my
employer "secure".
Secondly, you are saying that "vulnerability management" = "scanning
something with a vulnerability scanner, review the output and patch". As it
says on Wikipedia, it is much more than that - it is the "cyclical practice
of identifying, classifying, remediating, and mitigating vulnerabilities"
[¹].
So at the very least I would define it as identifying possible
vulnerabilities with various tools - scanners, internal and external
pentests, source code review, fuzzing, bug reports, etc - and managing
their life cycle to the end by either patching, putting a control in place
or even signing it off as an acceptable risk.
Also you seem to focus solely on the problem of patching closed source
software. But nowadays most of the attacks are done via the Web layer, and
in most companies the Web layer is developed in house. So you can much more
effectively find vulnerabilities with a source code review than just
patching them as they appear.
As the article seems to imply, vulnerability management is about reducing
the risk and the overall attack surface. But I thought this was common
knowledge, especially among people who consider themselves "vulnerability
managers"?
Regards
Pedro
[¹] http://en.m.wikipedia.org/wiki/Vulnerability_management
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists