Posts

Showing posts from January, 2018

2018 Vulnerability Stats Report - Simple things make the difference.

Image
We finally finished off the 2018 edgescan Vulnerability Stats report this week. Overall things have not changed too much but we did a little more digging into the vulnerability data we harvested over the 12 months to December 2017. To that end we did some PCI compliance comparison (given that edgescan is a certified PCI ASV) service in addition to the awesome full stack vulnerability intelligence solution it always has been. How to improve security in a dramatic fashion? Whats the biggest quick win to improve your security posture you ask? All vulnerabilities are not created equal. We need to look at vulnerability management in a pragmatic way. Its not possible to be vulnerability-free and 100% secure, but we can aim for removing any issues which may give rise to a breach of client or organisational data. So, lets mitigate the highest risks first and not sweat about the small stuff. Risk is not linear and reducing vulnerability count does not necessarily translate to s
Vulnerability Management: False Positives, False Negatives, Technical, Logical Vulnerabilities and Human Error At edgescan, we have delivered thousands of assessments over the past years and one topic which is both a commonly known weakness but also a source of concern is Accuracy of assessment - The challenge being (human & technical); Can the technology detect security weaknesses report accurate findings ?   Can the technology avoid reporting issues that are not real? - "False Positives" Can the technology miss critical issues and simply not report the weakness - "False Negatives" In addition, once an issue is reported shall the human dismiss the issue as a "False positive" because they misunderstand or cannot reproduce the issue, resulting in a "False negative" The majority of commercial and open source vulnerability scanning tools can not provide reliable results and require significant human validation which can also fail