RE: Justifying the spend on a vulnerability scanner

• Previous message: Joerg Over: "Re: Qmail passing sendmail vulnerability downstream"
• In reply to: Chris Berry: "Re: Justifying the spend on a vulnerability scanner"
• Next in thread: Gerhard Rickert: "Re: Justifying the spend on a vulnerability scanner"
• Reply: Gerhard Rickert: "Re: Justifying the spend on a vulnerability scanner"
• Reply: Gerhard Rickert: "Re: Justifying the spend on a vulnerability scanner"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "David Gillett" <gillettdavid@fhda.edu>
To: <security-basics@securityfocus.com>
Date: Tue, 11 Mar 2003 11:56:36 -0800

> From: JM <jamesmcgeeiom@onetel.net.uk>
> As the subject says, this is what I have got to do.
>
> I could dream up loads of examples of;
> if we don't detect a code read virus and we get it, then it
> will knock out our webservers and others until we fix it.
> if we have open null shares on the network, and unrestricted
> access to remote registries people can do what they
> want.......
>
> But does anyone have any thoughts to share, on how I can
> successfully convince my management that the spend on a
> vulnerability scanner is worthwhile.
 
  Vulnerability scanners don't have an inherent ROI of their
own.

  Once you've got commitment to FIX holes before they are
exploited, then you can easily justify a tool or two to FIND
the holes that need fixing. But finding the holes is no help
if nothing will be done about them.

David Gillett

• Previous message: Joerg Over: "Re: Qmail passing sendmail vulnerability downstream"
• In reply to: Chris Berry: "Re: Justifying the spend on a vulnerability scanner"
• Next in thread: Gerhard Rickert: "Re: Justifying the spend on a vulnerability scanner"
• Reply: Gerhard Rickert: "Re: Justifying the spend on a vulnerability scanner"
• Reply: Gerhard Rickert: "Re: Justifying the spend on a vulnerability scanner"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]