Penetration Testing mailing list archives
Vulnerability scanning routines - what is overkill.
From: cribbar <crib.bar () hotmail co uk>
Date: Mon, 22 Aug 2011 06:28:58 -0700 (PDT)
There was some debate the other day in our office (not tech IT myself) about what percentage of the infrastructure vulnerabilities in the nessus repository are taken out the equation if you have a thorough patch management policy for the infrastructure AND you scan the system before its brought into operation? What’s your view? What % of nessus vulns are addressed by scanning after build process and addressing the problems, and then applying a thorough patch mgmt policy from when it goes live? It’s been prompted by our auditors claims it is essential to run such scans must be run every month as new vulnerabilities are found all the time – but if they are patched, and stuff like default passwords / vendor back doors were addressed after the build process, before it went live, then what other kind of issues/events/activities cause a vulnerability that isn’t easily addressed by applying patches ASAP. We would probably fall into a “medium” security environment. There must be more to it than this around vulnerability scanning. Your views most welcome. Should the auditors give some flexibility and accept they’re recs are overkill, or do they have a point. -- View this message in context: http://old.nabble.com/Vulnerability-scanning-routines---what-is-overkill.-tp32311141p32311141.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Vulnerability scanning routines - what is overkill. cribbar (Aug 26)
- Re: Vulnerability scanning routines - what is overkill. Duncan Alderson (Aug 28)