oss-sec mailing list archives

Re: Open Source Tool | vPrioritization | Risk Prioritization Framework

From: Pramod Rana <varchashva () gmail com>
Date: Sun, 6 Sep 2020 13:18:34 +0530

Appreciate your comments.

My two cents - Patch everything is far from reality to most (read all)
organizations and I would argue that it's not a solution per se. To me it
looks like buying every type of vehicle for commuting in every city of the
world but we don't do that, rather we decide what will work best depending
on factors like traffic, distance, roads, weather etc.

I believe prioritization is an integral part of everything we do and it
works as reasoning to what we do (or don't).

On Sat, Sep 5, 2020 at 3:17 PM Perry E. Metzger <perry () piermont com> wrote:

[Perhaps somewhat off topic, but the original announcement felt a bit
tangental as well.]

On Thu, 3 Sep 2020 20:13:34 +0530 Pramod Rana <varchashva () gmail com>
wrote:

It is no secret that today we have more vulnerabilities than we can
assess and remediate, timely and comprehensively. Risk
prioritization is a key component for any vulnerability management
program.


I'm not sure I agree with this premise.

1. It is entirely feasible to keep even a very large organization
comprehensively patched. There are organizations that do that.
2. It is not feasible to calculate a probability of exploitation of a
given vulnerability, and it is not feasible to determine how bad the
damage from exploitation will be. This is a classic example of "tail
risk" where probability distributions are simply not calculable by
normal methods.

I keep hearing people in the security industry speak about scientific
risk assessment as though it were possible. I don't think it's
possible, and it seems cheaper to simply patch than to do some sort
of scientific assessment and prioritization of patches.

My gut reaction is that the growth of this idea is attributable
to the large number of large, well-funded organizations that are
none the less not capable of properly maintaining their own
infrastructure and thus not capable of patching in a timely manner.
(I have consulted to many such organizations.)

The notion that some sort of "risk analytics" could therefore justify
failing to patch quickly and give a rationale for maintaining an
incapable systems management team is thus attractive. However, the
real solution is simply to patch; a capable systems management team is
better than the illusion of a risk calculation system, and provides
far more benefits than simply maintaining infrastructure in a fully
patched state.

Perry
--
Perry E. Metzger                perry () piermont com

Current thread:

Open Source Tool | vPrioritization | Risk Prioritization Framework Pramod Rana (Sep 03)
- Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Perry E. Metzger (Sep 05)
  - Risk and severity vectors (was: Open Source Tool | vPrioritization | Risk Prioritization Framework) Jeremy Stanley (Sep 05)
  - Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Pramod Rana (Sep 06)
    - Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Amos Jeffries (Sep 06)
    - Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Robert Watson (Sep 06)
    - Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Perry E. Metzger (Sep 07)
    - Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Jeffrey Walton (Sep 07)
    - Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Kurt H Maier (Sep 07)
    - Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Jeffrey Walton (Sep 08)
    - Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Alex Gaynor (Sep 08)
    - Re: Open Source Tool | vPrioritization | Risk Prioritization Framework The Doctor [412/724/301/703/415/510] (Sep 09)