Penetration Testing mailing list archives
Re: when to fix , when to not to fix the vuln.
From: Tony Turner <tony_l_turner () yahoo com>
Date: Tue, 27 Jul 2010 07:08:31 -0400
You need to put the findings in context. It's not enough to say "Fix the vulns with highest score" as your pentester likely may not understand your business well enough to know that the moderate vuln impacting your mission critical system is actually a larger concern than the severe impacting a less critical system, especially if it would be difficult to use that system to pivot due to IPSEC rules or whatnot. Or perhaps you have an external facing server that is highly vulnerable but has no connectivity to your internal network (hosted by an external provider for instance). It's still important to plug those holes (maybe for no reason other than prevent website defacement) but until you understand how your various systems interact with each other, their trust levels, the criticality of core business processes and the system dependencies there is no cut and dry answer. It depends. (God I hate that answer) What I do is ask myself this, "If every system were equally vulnerable, what would be my biggest fear?" Then I take my report and go look at those systems first. Then go look at those systems that have an established trust relationship with those systems (including clients) or are managed in a similar fashion (example: commonly used admin passwords that might get reused on more critical systems) a bv wrote:
Hi, Someone gave you a pentest report , or a basic tool scan report or you have done the scan. There are v ulnerabilities found and listed. How do you understand the vuln. and when do you try to fix it, or when you dont fix it? Regards ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- when to fix , when to not to fix the vuln. a bv (Jul 24)
- Re: when to fix , when to not to fix the vuln. Todd Haverkos (Jul 25)
- Re: when to fix , when to not to fix the vuln. Robert Portvliet (Jul 25)
- Re: when to fix , when to not to fix the vuln. Jason Ross (Jul 25)
- Re: when to fix , when to not to fix the vuln. Tony Turner (Jul 28)
