Tuesday, August 16, 2011

Vulnerability Management Program - FAIL

Same Vulnerabilities on the same hosts every month ---FAIL
   Reports falling on deaf ears.
   Something fundamentally wrong with the program. Either the Application owners are not in the loop, or there is no management support for the whole program. Destined to FAIL

Same Category of Vulnerabilities show up every month -- FAIL
    being reactive, not proactive

Erratic Vulnerability Management program -- FAIL
   Response to Vulnerabilities should not be chaotic. Identify App owners, Identify failure mechanisms, and process to close out a Vulnerability.

Failed PCI scan after a Vulnerability Assessment. -- FAIL
  Always establish proper security Baselines.

No metrics to show the program is working -- FAIL
  If you don't know where you are going, then you are not making any progress. Metrics are the key to identifying if your Vulnerability MAnagement program is working or Failing. It will help you react quicker, before you hit the Point of No Return.

Vulnerability Scanner gives inconsistent results -- FAIL
  Work with your vendor and understand the Vulnearbility scanner's capabilities and limitations. Understand the network architecture, that you are scanning, and tweak it accordingly. This is very important to get consistent reliable results.

False +ves are legitimate Vulnerabilities -- FAIL
  If a manual test shows that the false +ves identified by your teams, are actual vulnerabilities, that shows some serious issues with the team.

Vulnerability Scanners are not supplemented with Manual Scans -- FAIL
Automated testing only goes so far. They still cannot think like humans (attackers) and a very good reason, why you should supplement the automated scans, with manual scans.