RE: Justifying the spend on a vulnerability scanner

From: David Gillett (gillettdavid@fhda.edu)
Date: 03/11/03

  • Next message: Sigmon Cheri Y GS-09 DLIELC/LETA: "RE: WLAN AUDITING [SANS Institute webcast slides...]"
    From: "David Gillett" <gillettdavid@fhda.edu>
    To: <security-basics@securityfocus.com>
    Date: Tue, 11 Mar 2003 11:56:36 -0800
    
    

    > From: JM <jamesmcgeeiom@onetel.net.uk>
    > As the subject says, this is what I have got to do.
    >
    > I could dream up loads of examples of;
    > if we don't detect a code read virus and we get it, then it
    > will knock out our webservers and others until we fix it.
    > if we have open null shares on the network, and unrestricted
    > access to remote registries people can do what they
    > want.......
    >
    > But does anyone have any thoughts to share, on how I can
    > successfully convince my management that the spend on a
    > vulnerability scanner is worthwhile.
     
      Vulnerability scanners don't have an inherent ROI of their
    own.

      Once you've got commitment to FIX holes before they are
    exploited, then you can easily justify a tool or two to FIND
    the holes that need fixing. But finding the holes is no help
    if nothing will be done about them.

    David Gillett


  • Next message: Sigmon Cheri Y GS-09 DLIELC/LETA: "RE: WLAN AUDITING [SANS Institute webcast slides...]"