It is important that, when performing vulnerability assessment, one keeps a perspective on exactly what one is doing. Doing a simple vulnerability scan tells little, taken by itself. Performing a penetration test in isolation is even more limiting. So, the implication is that vulnerability assessment is a holistic process. And that, it turns out, is exactly the case.
In the formative days of vulnerability assessment and penetration testing, everything was about finding the vulnerability and, if one was clear on the concept, verifying whether the vulnerability could be exploited. Today, that is only a piece of the process. Vulnerabilities – real vulnerabilities – need to be verified for their exploitability. That is where pen testing comes in. If one wants to address the vulnerability, one needs to add vulnerability management. That is not anywhere near as simple as it sounds.
This month, the biggest thing we saw was the maturing of vulnerability assessment into vulnerability management, which is good news for the information assurance community. It means that the biggest issue that we face is, at least, identifiable and manageable.However, there are complexities that simply referring to a vulnerability as a risk don't address. The message is clear: To manage vulnerabilities fully we need threat and vulnerability information. Then we need to apply management techniques.
Just because some vendor wants one to believe that vulnerabilities are risks, don't take the easy way out and just fix the vulnerability. The fact is that one is likely to see far more vulnerabilities than can be fixed economically, and represent a serious hole in one's enterprise. This is all about triage. What can one afford to fix – or not fix? That is what we'll try to help answer in this month's Group Test.
