RE: Justifying the spend on a vulnerability scanner
From: David Gillett (firstname.lastname@example.org)
From: "David Gillett" <email@example.com> To: <firstname.lastname@example.org> Date: Tue, 11 Mar 2003 11:56:36 -0800
> From: JM <email@example.com>
> As the subject says, this is what I have got to do.
> I could dream up loads of examples of;
> if we don't detect a code read virus and we get it, then it
> will knock out our webservers and others until we fix it.
> if we have open null shares on the network, and unrestricted
> access to remote registries people can do what they
> But does anyone have any thoughts to share, on how I can
> successfully convince my management that the spend on a
> vulnerability scanner is worthwhile.
Vulnerability scanners don't have an inherent ROI of their
Once you've got commitment to FIX holes before they are
exploited, then you can easily justify a tool or two to FIND
the holes that need fixing. But finding the holes is no help
if nothing will be done about them.