to be or not to be of vulunerbility assesment report

[a.alii85 () gmail com]

hey sec techies :)

I'm in the process of making a vulnerability assessment report. The report contains high-level vulnerabilities details 
that i have identified using the scan tools such as nessus and nexpose. 

In the non-technical (executive summary) portion i have made a table which describe three things 
to its readers.

1) risk
2) effort required
3) resources required

These values are taken from instances of each vulnerabilities. These instances form different attack vector for the 
hacker to get into the system.   

Now here comes the problem or the interesting part; in the dynamic analysis report i have been given dozens of 
vulnerabilities which are associated with missing patches (neXpose full audit report). Now each missing patch fixes 
around 20 or more vulnerability but my table is based on 1-1 relationship not 1-Many. So i have now the mapping issue 
how do i relate a multiples vulnerability effort requirement,risk and resource required attribute to a single missing 
patch.

I don't want to break down the patches into individual vulnerabilities as that would add un-necessary volume something 
the higher management would hate and dislike to the point they want to throw the report into the dustbin. 

So what should i do? Do i really have to write a missing patch as in true classic definition of what is a 
"vulnerability" which is weakness that it....because all this is saying that your system is vulnerable because you 
forgot to update your anti-virus ( or something trivial like this)

These single instance / point vulnerabilities are more fun because they exists when the admins are confident about 
their system that it is decently patched and they are safe but they are not aware that most of the times these 
independent and third-parties services and packages existing on your platform environment (e.g oracle) needs patching 
and security tightening too.

So guys please help me devise a workaround this problem an easy and effective solution would be much appreciated and 
welcomed. Thanks

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------