Home page logo

dailydave logo Dailydave mailing list archives

Re: smaller errors eroding situational awareness.
From: Christian Heinrich <christian.heinrich () cmlh id au>
Date: Wed, 21 Aug 2013 10:16:20 +1000


To reuse the PCI DSS v2.0 Requirement 6.2 example, the core issue is
that "... a vendor-supplied patch classified by the vendor as
"critical"" and in this circumstance the source of truth is the
"vendor" and not Nessus.

In addition, Nessus (or any other product implemented by an ASV) may
have the incorrect CVSSv2 Base Score listed e.g.

On Sat, Aug 17, 2013 at 5:36 AM, Ron Gula <rgula () tenable com> wrote:
Examples like this are why I push the "exploitability" field as a form
of prioritization for vulnerabilities. I've seen to many organizaitons
debate a CVSS score with our support team so they can get it moved off
of their mandate to patch everything with a CVSS score of X or higher.

Christian Heinrich

Dailydave mailing list
Dailydave () lists immunityinc com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]