Penetration Testing mailing list archives

Re: when to fix , when to not to fix the vuln.

From: Robert Portvliet <robert.portvliet () gmail com>
Date: Sun, 25 Jul 2010 08:21:48 -0400

If they gave a you a good report you should have the vulnerabilities
listed in order of severity, in which case you should fix the most
critical (those that present the greatest risk) first, unless you know
of some compensating control that limits your exposure to said
vulnerability, in which case perhaps another vuln may be more
important to remediate first.

If the company\individual performing the pentest did not indicate the
severity of their findings, they did not provide you with a very good
test. They also should have presented heir findings in a way that
conveyed their risk to the business (ie: what an attacker could
achieve using these vulns), which should make it easier to decide
which are the most critical.

Now, in terms of tool output, most vulnerability scanners should also
present their output in terms of severity (usually color coded) & as
indicated above would want to fix the most critical unless you have
some compensating control, even then (depending on the vuln) it would
be a good idea to correct it after you have addressed your more severe
exposures.



On Sat, Jul 24, 2010 at 3:02 PM, a bv <vbavbalist () gmail com> wrote:

Hi,
Someone gave you a pentest report , or a basic tool scan report or
you have done the scan. There are v ulnerabilities found and listed.
How do you understand the vuln. and when do you try to
fix it, or when you dont fix it?
Regards

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




--

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

when to fix , when to not to fix the vuln. a bv (Jul 24)
- Re: when to fix , when to not to fix the vuln. Todd Haverkos (Jul 25)
- Re: when to fix , when to not to fix the vuln. Robert Portvliet (Jul 25)
- Re: when to fix , when to not to fix the vuln. Jason Ross (Jul 25)
- Re: when to fix , when to not to fix the vuln. Tony Turner (Jul 28)