4 Replies Latest reply on Nov 26, 2009 10:27 AM by Stingner

    How are you handling unpatched vulnerabilities?

      I am curious how the community handles vulnerabilities found during a scan that are not currently patched?

       

      A side question: If you just accept the vulnerability finding as mitigated or accepted, how do you handle the recurring hit on every report? Do you turn off that scan item, or just keep those hits in the scan report? What if my boss wants a clean report?

       

       

      I use version 6.7 I've found when I scan a Windows server, I often will see some medium and even an occasional high alert for unpatched issues, some of which are persisting for quite some time. An example would be 6545: Microsoft Windows GDI+ EMF Stack Overflow Vulnerability.

        • 1. Re: How are you handling unpatched vulnerabilities?
          jhaynes

          I can't speak for the community but as a security professional I wouldn't manipulate what's reported just because there isn't a patch available. That can lead to a false sense of security that doesn't really reflect the reality of your enterprise. If your boss wants a clean report, pressure should be put on the vender to fix the vulnerability or the offending software should be removed.

           

          Jeff Haynes

          1 of 1 people found this helpful
          • 2. Re: How are you handling unpatched vulnerabilities?
            epo909

            Hi Michael,

             

            I support Jeffrey perspective.

             

            If you have a vuln that cannot be patched, you should accept the risk, so it must be reflected in the Foundscore.

            You could disable that particular vuln check in you scan, by editing the vuln list, but again, that would only deliver a false sense of security.

             

            Regarding your boss requiring a clean report, I remember reading somewhere that Vuln. Management "is 75 percent science and planning and 25 percent the art of persuasion and motivation.". Reading a clean report is easy, changing people perspective is hard.

             

            Regards,

            RD

             

             

            Message was edited by: epo909 on 11/24/09 3:56 AM
            1 of 1 people found this helpful
            • 3. Re: How are you handling unpatched vulnerabilities?

              Yeah, I definitely don't want to really disable an alert. From an auditor's perspective, how would he know I just don't turn off checks for things I don't want to fix?

               

              Unfortunately, some vulns, especially some of those Windows OS ones are just not going to be patched, or at least Microsoft has said as much. Of course, that then begs the question on how anyone can pass a Foundstone scan with Windows?

              • 4. Re: How are you handling unpatched vulnerabilities?

                Michael,

                 

                I concur with the others as well, a false sence of security is misleading. You are still vulnerable and management needs to know that. I do clean the reports to send to management but the only thing I remove is the "Informational" part and leave the "High", "Medium" and "Low". My reports are created using Excel, Access and connection to the SQL database.

                 

                Cheers.

                 

                Rene Pariseau