Chapter 16. Vulnerability Management

Contrary to what some vendors’ marketing material would have us believe, a huge quantity of successful breaches do not occur because of complex 0-day vulnerabilities, lovingly handcrafted by artisanal exploit writers. Although this does happen, a lack of patching, failure to follow good practices for configuration, or neglecting to change default passwords are to blame for a far larger number of successful attacks against corporate environments. Even those capable of deploying tailor-made exploits against your infrastructure will prefer to make use of these types of vulnerabilities.

Vulnerability management is the terminology used to describe the overall program of activities that oversees vulnerability scanning and detection through to remediation. This is a program that ultimately raises the security of your network by removing potential flaws. 

Vulnerability assessment is a different discipline than penetration testing, typically carried out by different people; however, the term is often used interchangeably by those who are not aware of the differences.

Unlike penetration testing, vulnerability assessment is automated or semiautomated, continuous, and less focused on bespoke systems and applications. Vulnerability assessment tools generally search for flaws such as missing patches, outdated software, common configuration errors, and default passwords. Vulnerability scans ideally operate on an ongoing basis, rather than a one-time or annual ...

Get Defensive Security Handbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.