The article is at
but I find it ominous.
Vulnerability management may be the next big thing in terms of IT
security strategy, but deriving the maximum value out of your efforts
requires hard work and a comprehensive plan, industry insiders
Well at least the author admits its not the next “Silver Bullet“!
Speaking at the SOURCE Boston conference this week, scanner maker
Tenable Security’s Carole Fennelly outlined some of the best practices
that organizations should observe as they attempt to identify and
remediate security weaknesses that exist throughout their IT systems and
Well that sounds good, but where does it lead to?
Personally I find it deceptive and not a good use of resources.
At the bottom, its too much like reactive fire-fighting.
We’ve discussed – or at least some of the more outspoken of us security blogers and professionals – of techniques for compartmentalization, being proactive in protection and using architectural and strategic decisions rather than ‘bug-hunting’.
We all know that you’ll never find the last bug, but its often easier to build things so that the effect of bugs, or failures, or attacks, is minimized.
What makes me despair though is when the old shibboleths get spouted:
“Organizations need to create asset lists that define their critical
business systems to help prioritize their efforts;
Without wanting to sound like I have it in for Ko-ko and his little list (heck, I have my own to-do list and GTD page), this is still reactive rather than proactive. In the last 15 years I’ve seen such revolutionary concepts as firewalls and DMZ become accepted by the mainstream, but the we can still see many people “don’t get it”. As evidence of this I would point towards the PCI documents. Implicit in them is the subtext that there are IT shops that are too stupid (or recalcitrant) to implement very basic good practices without being lead though them by the nose.
… they need to have the
support of different internal groups to create these lists that will
help them mitigate their most critical problems,” said Fennelly,
I wonder. Many security practitioners, and I think a lot of IT, would say that the most critical problems are not technical ones but rather have to do with people, management and strategy.
Scanners are useful tools, but they are also the kind of geek toy that can suck you in. This article touches on prioritizing those lists, but I’d say reality is that you have to deal with many things all at once, and getting stuck ‘head down’ with something like this and dealing reactively with the issues it raises will distract you from the more strategic matter that might just sweep away many of these problems.