[Dailydave] Soap and showers

Dave Aitel dave at immunityinc.com
Fri Sep 26 13:39:09 EDT 2014

So most of the bash bug solutions I've seen/talked to people about look
at "Vulnerability Management" as just that: essentially an extension to
your patching program. But in this case, nearly every machine is
vulnerable. However, almost NO machines pose a real risk. Everyone has
soap in their shower, and yet so few people slip to their death in the

This weird dichotomy between things that are vulnerable, and things that
are at risk, is a real problem with the bash bug and right now it's
being solved with consulting hours for most people. How do you go to the
SEC and say "90% of our infrastructure is vulnerable"? Answer: You
don't. Your Vulnerability Management tools is worthless right now.

An authenticated or credentialed scan with a Vulnerability Management
tool has always had this issue. Nobody knows whether they are in fact at
risk for any issue found with that scan! Perhaps your AV protects you?
Perhaps that port is blacklisted with the HIDS and nobody can touch it.
But the bash bug really highlights this in a way that drives it home to
executives, we've found.

Basically, with external anonymous scanning you have a high false
positive rate. That's bad. But with credentialed scanning, you have no
false positives, but also a very low confidence that the results are
meaningful. This is even worse, in some cases. ("Oh you wanted
vulnerabilities that MATTERED? That's Risk Management, and it's extra!")

Such a strange thing.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140926/faa429e7/attachment.sig>

More information about the Dailydave mailing list