On 12 May 2014 19:48, "Pete Herzog" <li...@isecom.org> wrote: > > "Hi, I’m your friend and security researcher, Pete Herzog. You might > know me from other public service announcements such as the widely > anticipated, upcoming workshop Secrets of Security, and critic’s > choice award winners: Teaching Your Teen to Hack Police Cars, and > Help! My Monkey is Posting Pictures to Facebook! > > But I’m here today to take a moment and talk to you about the pain of > neglect, isolation, abuse, and infection, better known as > “vulnerability management”. In many ways vulnerability management can > be part of a healthy system and over-all good security. But there’s > many important differences between vulnerability management and > security that you should know about:" > > That's how my new article starts. 5 points on the pain of > vulnerability management and how to make it hurt less. It's posted > here: > > http://www.tripwire.com/state-of-security/vulnerability-management/so-you-like-pain-and-vulnerability-management/ > > > Feel free to discuss with me on Twitter @peteherzog and #securitypain > and #helpmymonkeyispostingpicturestofacebook ;) > > Sincerely, > -pete. > > -- > Pete Herzog - Managing Director - p...@isecom.org
Hi, I fail to see the point of the article and I think you are making some major assumptions here while at the same time stating the obvious. First, who is the audience of the article? As a vulnerability manager myself I find insulting that you think that I don't know that finding vulnerabilities by itself without ANY other security controls will make my employer "secure". Secondly, you are saying that "vulnerability management" = "scanning something with a vulnerability scanner, review the output and patch". As it says on Wikipedia, it is much more than that - it is the "cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities" [¹]. So at the very least I would define it as identifying possible vulnerabilities with various tools - scanners, internal and external pentests, source code review, fuzzing, bug reports, etc - and managing their life cycle to the end by either patching, putting a control in place or even signing it off as an acceptable risk. Also you seem to focus solely on the problem of patching closed source software. But nowadays most of the attacks are done via the Web layer, and in most companies the Web layer is developed in house. So you can much more effectively find vulnerabilities with a source code review than just patching them as they appear. As the article seems to imply, vulnerability management is about reducing the risk and the overall attack surface. But I thought this was common knowledge, especially among people who consider themselves "vulnerability managers"? Regards Pedro [¹] http://en.m.wikipedia.org/wiki/Vulnerability_management _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/