Full Disclosure mailing list archives
Re: So You Like Pain and Vulnerability Management? New Article.
From: Daniel Wood <daniel.wood () owasp org>
Date: Tue, 13 May 2014 08:07:36 -0400
Pedro, I think you misinterpreted the article. I can see how his writing style can be confusing with all the joking and contradictions throughout. I had to reread it twice to make sure I was taking away what was intended Just to be clear though, I agree and don't think it really adds value for those of us that already do vulnerability management, however, if written clearer, I could see this as being beneficial to those that don't understand VM and to drive away the misconception that VM is just patching and will make you secure. One thing I would like to see us get away from as a community is silo'ing VM as something special. I think we need to be more holistic and include threats (TVM) as part of the larger picture. Doing so increases you VM ROI and actually gets you closer to a more secure baseline as you can select appropriate controls (caveat: if done properly). Daniel
On May 13, 2014, at 5:40 AM, Pedro Ribeiro <pedrib () gmail com> wrote:On 12 May 2014 19:48, "Pete Herzog" <lists () isecom org> wrote: "Hi, I’m your friend and security researcher, Pete Herzog. You might know me from other public service announcements such as the widely anticipated, upcoming workshop Secrets of Security, and critic’s choice award winners: Teaching Your Teen to Hack Police Cars, and Help! My Monkey is Posting Pictures to Facebook! But I’m here today to take a moment and talk to you about the pain of neglect, isolation, abuse, and infection, better known as “vulnerability management”. In many ways vulnerability management can be part of a healthy system and over-all good security. But there’s many important differences between vulnerability management and security that you should know about:" That's how my new article starts. 5 points on the pain of vulnerability management and how to make it hurt less. It's posted here:http://www.tripwire.com/state-of-security/vulnerability-management/so-you-like-pain-and-vulnerability-management/Feel free to discuss with me on Twitter @peteherzog and #securitypain and #helpmymonkeyispostingpicturestofacebook ;) Sincerely, -pete. -- Pete Herzog - Managing Director - pete () isecom orgHi, I fail to see the point of the article and I think you are making some major assumptions here while at the same time stating the obvious. First, who is the audience of the article? As a vulnerability manager myself I find insulting that you think that I don't know that finding vulnerabilities by itself without ANY other security controls will make my employer "secure". Secondly, you are saying that "vulnerability management" = "scanning something with a vulnerability scanner, review the output and patch". As it says on Wikipedia, it is much more than that - it is the "cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities" [¹]. So at the very least I would define it as identifying possible vulnerabilities with various tools - scanners, internal and external pentests, source code review, fuzzing, bug reports, etc - and managing their life cycle to the end by either patching, putting a control in place or even signing it off as an acceptable risk. Also you seem to focus solely on the problem of patching closed source software. But nowadays most of the attacks are done via the Web layer, and in most companies the Web layer is developed in house. So you can much more effectively find vulnerabilities with a source code review than just patching them as they appear. As the article seems to imply, vulnerability management is about reducing the risk and the overall attack surface. But I thought this was common knowledge, especially among people who consider themselves "vulnerability managers"? Regards Pedro [¹] http://en.m.wikipedia.org/wiki/Vulnerability_management _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- So You Like Pain and Vulnerability Management? New Article. Pete Herzog (May 12)
- Re: So You Like Pain and Vulnerability Management? New Article. Pedro Ribeiro (May 13)
- Re: So You Like Pain and Vulnerability Management? New Article. Daniel Wood (May 14)
- Re: So You Like Pain and Vulnerability Management? New Article. Pedro Ribeiro (May 13)