riskanalysis
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | Next revisionBoth sides next revision | ||
riskanalysis [2017/10/24 15:23] – [Vulnerability remediation] lallodi | riskanalysis [2017/10/24 15:23] – [Vulnerability remediation] lallodi | ||
---|---|---|---|
Line 11: | Line 11: | ||
- introduce new vulnerabilities. | - introduce new vulnerabilities. | ||
- | The IT response to that is, in general: “any severe-enough vulnerability must be fixed”. The industry standard to measure vulnerability severity is the Common Vulnerability Scoring System (CVSS) by NIST, but this is known to be uncorrelated with actual exploits [[http:// | + | The IT response to that is, in general: “any severe-enough vulnerability must be fixed”. The industry standard to measure vulnerability severity is the Common Vulnerability Scoring System (CVSS) by NIST, but this is known to be uncorrelated with actual exploits [[http:// |
- | confounding factors [[http:// | + | confounding factors [[http:// |
This led to poor vulnerability management practices whereby vulnerability patching work is overwhelmed by the huge number of patches to install, that cannot however be straightforwardly applied because of the concerns outlined above. | This led to poor vulnerability management practices whereby vulnerability patching work is overwhelmed by the huge number of patches to install, that cannot however be straightforwardly applied because of the concerns outlined above. |
riskanalysis.txt · Last modified: 2021/01/10 21:04 by 127.0.0.1