Re: when to fix , when to not to fix the vuln.



If they gave a you a good report you should have the vulnerabilities
listed in order of severity, in which case you should fix the most
critical (those that present the greatest risk) first, unless you know
of some compensating control that limits your exposure to said
vulnerability, in which case perhaps another vuln may be more
important to remediate first.

If the company\individual performing the pentest did not indicate the
severity of their findings, they did not provide you with a very good
test. They also should have presented heir findings in a way that
conveyed their risk to the business (ie: what an attacker could
achieve using these vulns), which should make it easier to decide
which are the most critical.

Now, in terms of tool output, most vulnerability scanners should also
present their output in terms of severity (usually color coded) & as
indicated above would want to fix the most critical unless you have
some compensating control, even then (depending on the vuln) it would
be a good idea to correct it after you have addressed your more severe
exposures.



On Sat, Jul 24, 2010 at 3:02 PM, a bv <vbavbalist@xxxxxxxxx> wrote:
Hi,
Someone gave you a pentest report , or a basic tool scan report or
you have done the scan. There are v ulnerabilities found and listed.
How do you understand the vuln. and when do you try to
fix it, or when you dont fix it?
Regards

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------





--

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • [Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()
    ... > Mr. Murphy, I don't know what your problem is, but the bug you refer to ... > XSS vulnerability that exists. ... If you report the bug first you can get credit. ... *YOUR* team's broken fix left the vulnerability wide open. ...
    (Full-Disclosure)
  • Re: ReportBuilder 9.03 is now available for Delphi 2005, Delphi 7, and Delphi 6!
    ... >> - Added support for TeeChart 7.05. ... >> - Fix for RichText Editor in Delphi 2005, ... >> when the report generation process is canceled. ... >> - Modified the RAP compiler to allow the local Var and Const sections to ...
    (borland.public.delphi.thirdpartytools.general)
  • Re: Computer reboots spontaneously
    ... IOW don't try to fix anything. ... diagnostics would be on disk and on manufacturer's web site. ... But marginal hardware tends to fail ... The status report on the hard drives shows OK when the computer boots. ...
    (microsoft.public.windowsxp.general)
  • Re: when to fix , when to not to fix the vuln.
    ... Someone gave you a pentest report, or a basic tool scan report or ... fix it, or when you dont fix it? ... risk profile such that patching itself is considered a bigger risk to ...
    (Pen-Test)
  • Re: Cannot access "explore" or "search"
    ... track down the real cause and see a fix for many folks having this ... the feeling that the majority of folks with "the windows explorer ... A VERY few actually report ... >>posting that confirmed this for the Windows Explorer problem. ...
    (microsoft.public.windowsxp.general)