Hi All,
Sorry for the delay in posts . Going through a little busy schedule.
Talking about Vulnerability scanner, these are tools which we can use to find vulnerabilities present in the infrastructure system which may be because of legacy machines or improper implementation of "Information system acquisition and development policy" or rush in completion of projects.
Those bugs or loops holes can be easily discovered using these kind of vulnerability scanners tools like CCSVM or Qualys Guard but there still some difficulties in use these tools. I am sure you are aware of word called false positive's..
Lengthy reports generated by them some time even required weeks to read it, specially when you are dealing with a huge banking infrastructure of a telecom giant server's. I have used both of them and compare to the licence cost and to manager these commercial tool and complexity in reports i will rather again suggest you Its always been better to develop a proper New system acquisition and development policy in the organisation and implement it with all the new projects being introduces in the organisation it will not just decrease the risk level but also help to save some $ at the end.
For legacy machines you can bring a gateway on change management approval series and makes it mandatory that all changes going to production there infrastructure will be checked for loop holes and vulnerabilities and wont allow implementation of changes till the vulnerabilities are fixed. In case of emergency changes one Security override document ( SOD ) can be asked from the business with a fixed date on it to fix the open bug.
Sorry for the delay in posts . Going through a little busy schedule.
Talking about Vulnerability scanner, these are tools which we can use to find vulnerabilities present in the infrastructure system which may be because of legacy machines or improper implementation of "Information system acquisition and development policy" or rush in completion of projects.
Those bugs or loops holes can be easily discovered using these kind of vulnerability scanners tools like CCSVM or Qualys Guard but there still some difficulties in use these tools. I am sure you are aware of word called false positive's..
Lengthy reports generated by them some time even required weeks to read it, specially when you are dealing with a huge banking infrastructure of a telecom giant server's. I have used both of them and compare to the licence cost and to manager these commercial tool and complexity in reports i will rather again suggest you Its always been better to develop a proper New system acquisition and development policy in the organisation and implement it with all the new projects being introduces in the organisation it will not just decrease the risk level but also help to save some $ at the end.
For legacy machines you can bring a gateway on change management approval series and makes it mandatory that all changes going to production there infrastructure will be checked for loop holes and vulnerabilities and wont allow implementation of changes till the vulnerabilities are fixed. In case of emergency changes one Security override document ( SOD ) can be asked from the business with a fixed date on it to fix the open bug.
No comments:
Post a Comment