Penetration Testing mailing list archives
Re: when to fix , when to not to fix the vuln.
From: Robert Portvliet <robert.portvliet () gmail com>
Date: Sun, 25 Jul 2010 08:21:48 -0400
If they gave a you a good report you should have the vulnerabilities listed in order of severity, in which case you should fix the most critical (those that present the greatest risk) first, unless you know of some compensating control that limits your exposure to said vulnerability, in which case perhaps another vuln may be more important to remediate first. If the company\individual performing the pentest did not indicate the severity of their findings, they did not provide you with a very good test. They also should have presented heir findings in a way that conveyed their risk to the business (ie: what an attacker could achieve using these vulns), which should make it easier to decide which are the most critical. Now, in terms of tool output, most vulnerability scanners should also present their output in terms of severity (usually color coded) & as indicated above would want to fix the most critical unless you have some compensating control, even then (depending on the vuln) it would be a good idea to correct it after you have addressed your more severe exposures. On Sat, Jul 24, 2010 at 3:02 PM, a bv <vbavbalist () gmail com> wrote:
Hi, Someone gave you a pentest report , or a basic tool scan report or you have done the scan. There are v ulnerabilities found and listed. How do you understand the vuln. and when do you try to fix it, or when you dont fix it? Regards ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
-- ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- when to fix , when to not to fix the vuln. a bv (Jul 24)
- Re: when to fix , when to not to fix the vuln. Todd Haverkos (Jul 25)
- Re: when to fix , when to not to fix the vuln. Robert Portvliet (Jul 25)
- Re: when to fix , when to not to fix the vuln. Jason Ross (Jul 25)
- Re: when to fix , when to not to fix the vuln. Tony Turner (Jul 28)