Experienced Security professionals themselves often gets confuse when they deal with CVE’s & CWE’s. Let’s understand them in a clear fashion
Hope thus clears the difference between CWE & CVE. It’s important to focus on CVE’s in your environment and closure of the identified CVE’s is vital
Everybody’s Mistake – Let me put through in questions
Do you really track CVE’s in your environment?
How do you validate the CVE’s?
What is the scoring level for your CVE’s?
How do you close the CVE’s?
Recommendations are deployed or Workaround is deployed to close the CVE’s?
How many CISO’s, CSO’s, and SOC Managers aware of their organization open CVE’s and Closed CVE’s?
Whether the workaround is tested before deploying to production and when you revisited the workaround?
Expert’s will answer all the above question in a single answer
“We are performing vulnerability assessment periodically and all identified vulnerabilities will be closed as a part of assessment”
Ok, If your answer is Vulnerability assessment then I’m expecting you to answer the below question
Do you know how many vendors / software’s you use in your environment?
Do you have any dependencies / in-house challenge on upgrading / deploying patches?
Do you have any known vulnerabilities leftover as “Non-Patchable”?
Are you in “Zero – Downtime tolerance” environment and all your servers requiring always “ON” mode? Then how do you restart after patching. Note: Servers always 90% patches required restart for the update to be effected
Do you have the virtual patching enabled for non-closed CVE’s ?
How many of the CVE’s
Does your vulnerability assessment aligned with your SOE?
Who verifies and confirm your vulnerability assessment policy? Note: I can give you a clean report all time with ZERO Vulnerability.
Do any of your BIG 4 Auditing team / Auditor’s verify your Vulnerability assessment policy, before verifying the vulnerability assessment report?
If you already accepted the risk of the CVE what is the impact score and risk score you have take
Trust us; our experts practically experienced and it’s confirming none of the industry knows their exact CVE details.
To close the entire practical, known, unacceptable, unavoidable gaps we have a solution. Yes. A New Era to deal your CVE’s effectively
If you start practice our methodology you may not require to invest and buy the Vulnerability Assessment tool in your environment. A CAPEX saving simple approach to run an effective vulnerability assessment program in your environment. An ultimate, simple and effective reverse engineering solution, which gives you the clear understanding of your organization CVE’s and vulnerability score. No matter any tool you use for vulnerability assessment. REVA & PT would be the most successful and CAPEX effective to meet your organization security and compliance’s. All Vulnerability Assessment tool which hide themselves with their brand and attractive so called reports to sell their product to threat their customers to deal their organization vulnerabilities.
“When you know who is in your home why do we need a third person to identify your family members? It’s your job to maintain your family member’s health [Vulnerability] and give them a proper medication [Remediation] “ Does your high expensive VA tool cover your complete environment? Routers, Switches, Firewalls, Security devices, POS Machines, ATM’s, and other networking devices? No. Absolutely not. If one VA tool gives you the complete vulnerability assessment report it’s a worth CAPEX. But why do you invest to understand only your “Software Vulnerability” when it can be achievable with ZERO investment?