[Dailydave] smaller errors eroding situational awareness.
Anton Chuvakin
anton at chuvakin.org
Fri Aug 16 16:32:44 EDT 2013
> of prioritization for vulnerabilities. I've seen to many organizaitons
> debate a CVSS score with our support team so they can get it moved off
> of their mandate to patch everything with a CVSS score of X or higher.
This, BTW, is NOT a joke :-) In essence, many of these organization
will likely NOT learn any lessons from the directory traverse ownage,
apart from "NVD can be wrong." If they can fix/patch 500
vulns/month, but their VA tool shows them 1000 Hs, 5000 Ms and
infinity of Ls a week, their patching strategy won't suddenly change
to "fix all Hs, Ms and Ls." Exploitability may help them a bit, but I
doubt it will "solve the problem." After all, the Low severity vuln
of "system responds to pings" is ...ahemmm.. exploitable as you can
actually send the damn ping :-)
--
Dr. Anton Chuvakin
Site: http://www.chuvakin.org
Twitter: @anton_chuvakin
Work: http://www.linkedin.com/in/chuvakin
More information about the Dailydave
mailing list