Dailydave mailing list archives
Re: smaller errors eroding situational awareness.
From: Anton Chuvakin <anton () chuvakin org>
Date: Fri, 16 Aug 2013 13:32:44 -0700
of prioritization for vulnerabilities. I've seen to many organizaitons debate a CVSS score with our support team so they can get it moved off of their mandate to patch everything with a CVSS score of X or higher.
This, BTW, is NOT a joke :-) In essence, many of these organization will likely NOT learn any lessons from the directory traverse ownage, apart from "NVD can be wrong." If they can fix/patch 500 vulns/month, but their VA tool shows them 1000 Hs, 5000 Ms and infinity of Ls a week, their patching strategy won't suddenly change to "fix all Hs, Ms and Ls." Exploitability may help them a bit, but I doubt it will "solve the problem." After all, the Low severity vuln of "system responds to pings" is ...ahemmm.. exploitable as you can actually send the damn ping :-) -- Dr. Anton Chuvakin Site: http://www.chuvakin.org Twitter: @anton_chuvakin Work: http://www.linkedin.com/in/chuvakin _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- smaller errors eroding situational awareness. Dave Aitel (Aug 16)
- Re: smaller errors eroding situational awareness. Kristian Erik Hermansen (Aug 16)
- Re: smaller errors eroding situational awareness. Ron Gula (Aug 16)
- Re: smaller errors eroding situational awareness. Anton Chuvakin (Aug 19)
- Re: smaller errors eroding situational awareness. Christian Heinrich (Aug 21)
- Re: smaller errors eroding situational awareness. Christian Heinrich (Aug 21)
- Re: smaller errors eroding situational awareness. Anton Chuvakin (Aug 19)
- Re: smaller errors eroding situational awareness. Christey, Steven M. (Aug 19)
- Re: smaller errors eroding situational awareness. security curmudgeon (Aug 19)
- Re: smaller errors eroding situational awareness. Christian Heinrich (Aug 21)
- Re: smaller errors eroding situational awareness. security curmudgeon (Aug 19)
- Re: smaller errors eroding situational awareness. Christian Heinrich (Aug 21)
- Re: smaller errors eroding situational awareness. Justin Ferguson (Aug 21)