Vulnerability scanning routines - what is overkill.

[cribbar <crib.bar () hotmail co uk>]

There was some debate the other day in our office (not tech IT myself) about
what percentage of the infrastructure vulnerabilities in the nessus
repository are taken out the equation if you have a thorough patch
management policy for the infrastructure AND you scan the system before its
brought into operation? 

What’s your view? What % of nessus vulns are addressed by scanning after
build process and addressing the problems, and then applying a thorough
patch mgmt policy from when it goes live? 

It’s been prompted by our auditors claims it is essential to run such scans
must be run every month as new vulnerabilities are found all the time – but
if they are patched, and stuff like default passwords / vendor back doors
were addressed after the build process, before it went live, then what other
kind of issues/events/activities cause a vulnerability that isn’t easily
addressed by applying patches ASAP.

We would probably fall into a “medium” security environment. 

There must be more to it than this around vulnerability scanning. Your views
most welcome. Should the auditors give some flexibility and accept they’re
recs are overkill, or do they have a point.

-- 
View this message in context: 
http://old.nabble.com/Vulnerability-scanning-routines---what-is-overkill.-tp32311141p32311141.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------