Penetration Testing mailing list archives
Re: when to fix , when to not to fix the vuln.
From: Todd Haverkos <infosec () haverkos com>
Date: Sun, 25 Jul 2010 01:01:46 -0500
a bv <vbavbalist () gmail com> writes:
Hi, Someone gave you a pentest report , or a basic tool scan report or you have done the scan. There are v ulnerabilities found and listed. How do you understand the vuln. and when do you try to fix it, or when you dont fix it? Regards
One part of your question is relatively easy--if the pen test report doesn't include that value add of explaining the vulnerabilities they're listing, your penetration tester isn't doing their job. With simpler vuln scans, it's not nearly as surprising for a customer to have to go and do more of the reasearch and risk assessment on their own. In the report, hopefully there are CVE numbers as applicable by which you can dig in to the various resources linked from the CVE number, BugTraq ID (BID), or NessusID of the vuln (assuming the scan was done with Nessus, for instance). http://cve.mitre.org/cve/ would be one place to start. http://securityfocus.com/vulnerabilities is still very useful as well. If the report addresses vulnerabilities found in custom applications, the OWASP Guide or OWASP Top 10 Projects may have the additional information you seek. http://owasp.org/ Fix everything you can reasonably afford to fix. When the fix involves patching, this is generally an easy decision to fix, but there are environments (air gapped networks for instance) that have a risk profile such that patching itself is considered a bigger risk to availability than the security threat would be to the rest of the CIA triad. When the fix involves more than the relatively simple "apply vendor-supplied software update" then it gets interesting. To determine the stuff that is too expensive to fix, the notion of "loss expectancy" and risk come into play. And some of the quantifying there blurs from science into the art catgeory. If the flaw discovered is in a custom written web app, or in an application the vendor isn't supporting very well, things get more interesting still. This is where the notions of "virtual patching" may be useful looking to protections that can be afforded by IPS and WAF technology...which introduce their own issues. Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- when to fix , when to not to fix the vuln. a bv (Jul 24)
- Re: when to fix , when to not to fix the vuln. Todd Haverkos (Jul 25)
- Re: when to fix , when to not to fix the vuln. Robert Portvliet (Jul 25)
- Re: when to fix , when to not to fix the vuln. Jason Ross (Jul 25)
- Re: when to fix , when to not to fix the vuln. Tony Turner (Jul 28)