by Anton Chuvakin | October 31, 2011 | 1 Comment
Vulnerability management is very easy, really. Get a scanner, scan a system, peruse the report listing all the flaws, then go and fix them. Done! Risk is presumably reduced and/or compliance is restored (e.g. in case of PCI DSS and fixing severe vulnerabilities with high CVSS scores). Now, imagine the same process that attempts to [...]
Category: compliance security vulnerability management Tags: vulnerability assessment, vulnerability management
by Anton Chuvakin | October 17, 2011 | 1 Comment
First, I want to thank my readers for a lot of insightful comments to my previous post: “On Vulnerability Prioritization and Scoring.” It helped me refine some of the key ideas for my current research project. Here is my second post in the series, covering another current and interesting area in vulnerability management: scanning “new” [...]
Category: security vulnerability management Tags: security, vulnerability assessment, vulnerability management
by Anton Chuvakin | October 11, 2011 | 4 Comments
Everybody who has any relation to PCI DSS and payment data security has probably already read the “2011 PCI Compliance Report” report. You have not?! Well, you have a fine choice then: enjoy my highlights below AND THEN go read the full report; or just go and read the report now. One of my favorite [...]
Category: compliance PCI DSS security Tags: PCI compliance, PCI DSS
by Anton Chuvakin | October 6, 2011 | 12 Comments
I am starting my new research project for Q4 2011 (stepping briefly away from PCI DSS compliance): on vulnerability management. As I am going through existing Gartner coverage of the matter (tools, practices) as well as recent customer calls on the subject, one interesting theme emerges: vulnerability prioritization for remediation presents THE critical problem to [...]
Category: security vulnerability management Tags: security, vulnerability assessment, vulnerability management
by Anton Chuvakin | October 1, 2011 | 2 Comments
As esteemed readers of my “old”, personal blog know, I am a bit of a log fanatic. And my log fanaticism raises to a fevered pitch in the area of LOG and EVENT STANDARDS. Along this line, I was working with CEE team (from the time before it was called that; we figured “CEX” was [...]
