Vulnerability Assessment Program - Discussions

Published: 2012-05-05
Last Updated: 2012-05-05 16:05:06 UTC
by Tony Carothers (Version: 1)
3 comment(s)

On a slow Saturday in May I thought I would open the forum for discussion here at the ISC on a topic.  I am working on a project to update the Continuous Vulnerability Assessment (CVA) capability for a client, and I have found a lot of good information on the web.  What I haven’t found a lot of is good experiences on the web.  Guy Bruneau wrote a great article in October on CVA and Remediation for the Critical Controls discussed in October.

First off what is a vulnerability assessment?  Wikipedia defines a vulnerability assessment as “the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system”.  Vulnerability assessments are often confused with penetration testing, however these two functions serve different roles in a the organization and the overall security assessment.  A CVA program, as a component of the overall enterprise systems management program, needs to consider the process for asset identification, vulnerability reporting and remediation.  

Information I have collected runs the gamut  of technical and marketing information.  A great report on assessment tools is available here.  Search the web for “Vulnerability Assessment”, “Continuous  Vulnerability Assessment”, or “CVA” and the results range greatly.  Technical, marketing, best practices, etc., but what is not abundant is experiences.  What I’m asking of you today is input on experiences and challenges that you've encountered in your implementation or update of a CVA program. I’d love to hear about both the technical and environmental challenges encountered along the way.  Ask yourself “If I had to do it differently, what would I change?”; that’s what I would like to hear.

tony d0t carothers - gmail

3 comment(s)


Thanks Tony,
This report is very informative. Would appreciate if you can also share some latest report formats to security testing.
I here my experience -
Challenges -
Timely Remediation is one of biggest challenge in large organizations because OS and Apps are managed by different teams. Getting downtime from App owner by System Admins is itself a challenge when system is running critical business application.

Assess Immediate and Actual Risk-
Assess actual risk out of vulnerability scans: A regular authenticated vulnerability scan will report 30-40 OS vulnerabilities if system haven't patched since several months. However on servers we assume system admins will not surf internet and get infection because of vulnerabilities in IE and other privilege escalation vulnerabilities. So vulnerabilities that require user interaction/action should be ignored until next patching cycle and focus should be on vulnerabilities that could be exploited without user intervention like. MS08-067, MS12-020 etc.

I agree the biggest challenge is different team ownership of the overall system. Getting all of our "ducks in a row" can sometime be quite an ordeal. A robust change control procedure is very important to making this a success, IMO.

I would also add though, that getting vendors to patch their appliances is often the most aggravating part of my day.

Diary Archives