IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [vulnerability-management]

67 questions
3
votes
1 answer

Adobe Flash and Meltdown / Spectre

Many browsers have received updates to protect against the Meltdown and Spectre attacks. I presume these patches relate (solely) to JavaScript execution within the browser. Java in the browser is as good as dead, so that's not affected. But even…
Maarten Bodewes
  • 4,562
  • 15
  • 29
3
votes
2 answers

How do I secure my home Wi-Fi network in light of KRACK?

Now that KRACK has been discovered to exploit WPA2, is it still possible to secure my home Wi-Fi network? If so, what steps should I take to secure it against KRACK attacks? Will there now be a need for a new "WPA3" protocol? The simple answer as…
Jonathan
  • 3,157
  • 4
  • 26
  • 42
3
votes
1 answer

What does a "-" mean in the Version field in Common Product Enumeration (CPE)?

I'm trying to understand the Common Product Enumeration standard published by Mitre. In the Version field, I've found references to "*" or ANY meaning "Any Version." However, when I search the CPE Dictionary, I find a dash in that field. Does…
Cargo23
  • 131
  • 3
3
votes
0 answers

Are there any development tools that help with both asset management and vulnerability management?

I work for a software/system development company and I'm looking to improve how we manage information security within our development process. Much of what I have found in my initial research is focused on managing vulnerabilities within a company's…
igottaquestion
  • 31
  • 2
3
votes
0 answers

CVE vs KB Table

I work with equipment that is very selective about which KB or MS patches are allowed to be installed. I'm spending a lot of time trying to figure out which CVEs are addressed by which KB or MS fix for windows using Nessus' notes and sites like…
Tallima
  • 131
  • 1
  • 5
2
votes
1 answer

vulnerability management 101

Looking at a typical vulnerability scan report from Nessus or Qualys most people are terrified, lost, and basically with more questions than answers. For example, how on earth am I going to deal with all these findings? From what I was taught, a…
cyzczy
  • 1,518
  • 5
  • 21
  • 34
2
votes
3 answers

How to make sure vulnerability management does not lead to reduced or compromised security

When running vulnerability scans, often a particular version of, say, Node.js is reported to be vulnerable along with a recommendation to update to a higher version. Then we also have insecure SSL/TLS protocols, like TLS 1.0 and SSL 3.0, and it’s…
user211245
  • 79
  • 3
2
votes
1 answer

Best practices for vulnerability patching periods?

I was wondering if there are any general recommendations on maximum resolution times for vulnerabilities. Consider a vulnerability/patch management process where a ticket is opened when a vulnerability is reported/detected. The ticket system sets a…
user149408
  • 347
  • 2
  • 9
2
votes
1 answer

Could you use svchost to run any service?

Is it possible if per say you installed an "evil_service," to use svchost to run it? Will it run any service?
0siris
  • 91
  • 8
2
votes
1 answer

JBoss Web vulnerabilities

In my organization I found servers running JBoss Web/7.0.13.Final and JBoss Web/7.0.12.Final. I could not find security vulnerabilities for this server's versions, but they seem old to me. How can I find JBoss Web security vulnerabilities (CVEs,…
Gari BN
  • 485
  • 1
  • 6
  • 14
2
votes
2 answers

how are flaws in google chrome usually patched and disclosed

When there is a vulnerability like Flash's in any piece of software such as Chrome, is it disclosed immediately to the general public, or is it kept a secret until it is patched? If the former, are all the details of the vulnerability usually…
user119003
2
votes
2 answers

Vulnerability Scanning as a Point of Compromise

Has there been research/analysis on the use of Vulnerability scanning ecosystems as a point of compromise into a network? Specifically -- for enterprises using authenticated scanning -- the vulnerability scanning ecosystem becomes a trusted entity…
user125967
  • 21
  • 1
2
votes
4 answers

Vulnerability management solution evaluation criteria

We are planning for a vulnerability management solution, so I am looking out for evaluation criteria between the well known solutions like Nessus, Qualys and Nexpose. If anyone could share such evaluation points it would be really helpful.
AirSnow
  • 51
  • 4
1
vote
1 answer

Is there a way to check if vulnerability introduced by npm package is reachable/exploitable

I have a problem where I have too many vulnerabilities on a few hundred repositories introduced with outdated npm packages. The issue is that I need to find a way to prioritize this. The biggest pain in the butt for me is that the engineering team…
4tire
  • 11
  • 1
1
vote
1 answer

What is difference & link between threat modelling and vulnerability assessment?

My understanding is that, threat modelling is used at the design stage to identify the possible threats, prioritize them and help in identifying security requirements/security controls. Vulnerability assessment is done during development and in…
Kumar
  • 191
  • 1
  • 4
1
2
3 4 5