[Dailydave] smaller errors eroding situational awareness.
Christian Heinrich
christian.heinrich at cmlh.id.au
Tue Aug 20 20:16:20 EDT 2013
Ron,
To reuse the PCI DSS v2.0 Requirement 6.2 example, the core issue is
that "... a vendor-supplied patch classified by the vendor as
"critical"" and in this circumstance the source of truth is the
"vendor" and not Nessus.
In addition, Nessus (or any other product implemented by an ASV) may
have the incorrect CVSSv2 Base Score listed e.g.
https://discussions.nessus.org/thread/4769
On Sat, Aug 17, 2013 at 5:36 AM, Ron Gula <rgula at tenable.com> wrote:
> Examples like this are why I push the "exploitability" field as a form
> of prioritization for vulnerabilities. I've seen to many organizaitons
> debate a CVSS score with our support team so they can get it moved off
> of their mandate to patch everything with a CVSS score of X or higher.
--
Regards,
Christian Heinrich
http://cmlh.id.au/contact
More information about the Dailydave
mailing list