Priorities, CVEs, and CVSS

Even after processes are shored up, there will still be a need to prioritize what needs to be fixed next. Hopefully, with vetted and working processes backing up remediation efforts, this clean up will be manageable.

What to do next? Overwhelming operational areas with a giant list will only create a log jam. But, if we're focused on finding every weakness and trying to establish priorities, is that doing the same to TVM groups?

Stop using your vulnerability scanner for patch auditing!

Patch auditing is important, and you should do it, but your vulnerability scanner or sevice can (and should) do so much more.

Patching is designed to address the things you know about (or should know about). What about the things you haven't considered?

At first, this sounds counter-intuitive, but consider the goal for doing a vulnerability scan: to identify unaddressed weaknesses. If you have a patch management program, you already know about patches. If it has gaps, you need to know that, of course. But, what about security baselines? If you focus on auditing your patch management to the exclusion of all else (the noisiest aspect of vulnerability assessment), you run the risk of exposure due to misconfigurations that can be far worse than the patches you've missed.


How do I prioritize what to fix?

I spent about six years in vulnerability management before I decided to go be a penetration tester. I was frustrated by having to rely on the analysis of others, and on generalized guesswork to determine what made the biggest threat to the organization. I thought that being able to focus on security research and practical penetration would open my eyes to the realities of offense in a way that would help me make the most sense of security as a discipline.

What I found out was enlightening.