Pedro, I think you misinterpreted the article. I can see how his writing style can be confusing with all the joking and contradictions throughout. I had to reread it twice to make sure I was taking away what was intended
Just to be clear though, I agree and don't think it really adds value for those of us that already do vulnerability management, however, if written clearer, I could see this as being beneficial to those that don't understand VM and to drive away the misconception that VM is just patching and will make you secure. One thing I would like to see us get away from as a community is silo'ing VM as something special. I think we need to be more holistic and include threats (TVM) as part of the larger picture. Doing so increases you VM ROI and actually gets you closer to a more secure baseline as you can select appropriate controls (caveat: if done properly). Daniel > On May 13, 2014, at 5:40 AM, Pedro Ribeiro <ped...@gmail.com> wrote: > >> On 12 May 2014 19:48, "Pete Herzog" <li...@isecom.org> wrote: >> >> "Hi, I’m your friend and security researcher, Pete Herzog. You might >> know me from other public service announcements such as the widely >> anticipated, upcoming workshop Secrets of Security, and critic’s >> choice award winners: Teaching Your Teen to Hack Police Cars, and >> Help! My Monkey is Posting Pictures to Facebook! >> >> But I’m here today to take a moment and talk to you about the pain of >> neglect, isolation, abuse, and infection, better known as >> “vulnerability management”. In many ways vulnerability management can >> be part of a healthy system and over-all good security. But there’s >> many important differences between vulnerability management and >> security that you should know about:" >> >> That's how my new article starts. 5 points on the pain of >> vulnerability management and how to make it hurt less. It's posted >> here: >> >> > http://www.tripwire.com/state-of-security/vulnerability-management/so-you-like-pain-and-vulnerability-management/ >> >> >> Feel free to discuss with me on Twitter @peteherzog and #securitypain >> and #helpmymonkeyispostingpicturestofacebook ;) >> >> Sincerely, >> -pete. >> >> -- >> Pete Herzog - Managing Director - p...@isecom.org > > Hi, > > I fail to see the point of the article and I think you are making some > major assumptions here while at the same time stating the obvious. > > First, who is the audience of the article? As a vulnerability manager > myself I find insulting that you think that I don't know that finding > vulnerabilities by itself without ANY other security controls will make my > employer "secure". > > Secondly, you are saying that "vulnerability management" = "scanning > something with a vulnerability scanner, review the output and patch". As it > says on Wikipedia, it is much more than that - it is the "cyclical practice > of identifying, classifying, remediating, and mitigating vulnerabilities" > [¹]. > So at the very least I would define it as identifying possible > vulnerabilities with various tools - scanners, internal and external > pentests, source code review, fuzzing, bug reports, etc - and managing > their life cycle to the end by either patching, putting a control in place > or even signing it off as an acceptable risk. > > Also you seem to focus solely on the problem of patching closed source > software. But nowadays most of the attacks are done via the Web layer, and > in most companies the Web layer is developed in house. So you can much more > effectively find vulnerabilities with a source code review than just > patching them as they appear. > > As the article seems to imply, vulnerability management is about reducing > the risk and the overall attack surface. But I thought this was common > knowledge, especially among people who consider themselves "vulnerability > managers"? > > Regards > Pedro > > [¹] http://en.m.wikipedia.org/wiki/Vulnerability_management > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/