Re: security compliance vs. old software versions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

But the point is that the original poster is NOT the one running the
scan.  And the results of the scan (complaining about
vulnerabilities based on version numbers) indicates that it is not a
true 'security' scan anyway.  For (almost) every CVE issued, there
is a way to mitigate the risk that does not involve installing "the
latest and greatest with all the new fixes".  It is at best a
superficial scan of the type that is sold to PHB's so they can
"check the box".

I've spent a lot of hours trying to educate auditors.

On Wed, 30 Jun 2010, Frank Cox wrote:

> The point is that the security scan is supposed to be verifying that
> your setup is, in fact, secure.  If you change your setup before running
> the scan, and then change it back immediately afterward, how is that
> verifying that your setup is, in fact, secure?  What you scanned != what
> you are actually using.
>
> If your purpose is simply to check off a box on a form, why not just
> write the Sooper Dooper Security Scanner yourself?
>

----------------------------------------------------------------------
Jim Wildman, CISSP, RHCE       jim@xxxxxxxxxxxxx http://www.rossberry.com
"Society in every state is a blessing, but Government, even in its best
state, is a necessary evil; in its worst state, an intolerable one."
Thomas Paine
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux