“Security has a lot of tools. We have tools to scan networks, code, open-source libraries, databases, cloud configuration, endpoints, infrastructure as code, and more. As security teams, among our key modes of communication are vulnerability reports. More specifically, identifying these issues and letting others know about them with the appropriate context so they can be fixed.
However, there are several problems with this. In this article, I’ll break down a few of them….”
“State Scan Over Scan
Scanning tools aren’t always consistent when it comes to tracking the state of an asset, scan over scan. Does the tool treat each scan as fresh? Does the tool track a specific instance of a vulnerability over the course of multiple scans? What happens when the asset changes in some way in between scans? Should that be considered a new vulnerability or the same one with the same vulnerabilities? How might the tool handle ephemeral infrastructure?
The point of these questions is not to highlight some “right” answer in these scenarios. Rather, to highlight that the complexities in state management are likely to be treated differently by different tools in your stack, leading towards a general inconsistency…” Read the full post here.
Source: In Cybersecurity, Beware Death by a Thousand Vulnerability Reports – By Robert Wood, January 12, 2022. Acceleration Economy.
