Methodology to reduce vulnerability and compliances by third party software software

20 pts.
I’m new in the software security field; I have been drag to a team which reads a report created by software (NESSUS) which identifies vulnerabilities in our servers and workstations. It is pretty much a reactive effort versus a proactive one. My role consists finding the causes of the vulnerability item, by using abstract articles associate with the risk and software implemented. I try to narrow down what is causing the NESSUS to report the problem by either identifying a missing patch or workaround , sometimes identifying changes to the register file (manually looking in every server) what got change. The question is there a better approach (Tool, methodology) which will allow me to be more proactive in preparing the environment before implementing the updates patches and if there is a way to customize or use tool to generate reports or use features already part of the Windows Server 2008 R2 that will allow me audit the changes that are occurring when this GPO are implemented. Clients have Workstation Windows 7.

Software/Hardware used:
Windows Server 2008/Windows 7

Answer Wiki

Thanks. We'll let you know when a new response is added.

So basically was your implying is the deployment Management
Team at this stage has done their work.

They have successfully integrated the patch to the system
and I have to assume the implementation of the patch met or was below the risks
factor identify earlier during the planning of the Software Life Cycle. If problems
were counter the self-healing built-in process of Windows packages will “fix” any
outstanding dll which will be generated or replace. While following these
guidelines we need to take for certain that whatever NESSUS application finds,
it will either be a missing patch or not implementing the latest plug on NESSUS’
part. We have found in some cases, NESSUS is not smart enough or probably is
not in sync with patch update and it will flag problems such as path changes (Apps
location) on the register. Sometimes it will flag issues on features in question
which are disabled on the host.  

In conclusion, What I need to understand,  NESSUS tool will provide me with a general diagnose
of the host and it will require from my part to do research to verify if those finding
apply to the host or not.  If conclusions
do not apply, create the RAD report and explain why we will accept the
vulnerability.  Otherwise follow the abstract
of the patch from vendor to mitigate the problem. Use features from the OS to
gather data (audit tracks from the register) to see what patch alter on the system
(before and after settings) or create measure reports as baselines, this is
what I mean by being pro-active and expects this to be a continuous effort to meet
the zero-day patch.

thanks for the insight

Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • TomLiotta
    I can't quite make sense of your question. It sounds like you want some software that (a) can analyze each potential "updates patches", (b) compare their potential impacts against each object, and potentially each combination of objects, in your environment, and (c) notify you of vulnerabilities that would appear after the "updates patches" would be applied if you chose to apply them. This would possibly require analysis of combinations of "updates patches". IMO, if such software was rationally possible to create and use (and be affordable), you would already have it. -- Tom
    125,585 pointsBadges:
  • carlosdl
    Additionally, I would not consider running vulnerability scans a "reactive" approach.  A reactive approach would be to create a team in charge of cleaning the mess when your system be compromised because you didn't know or care about previously existent vulnerabilities on it.  "if such software was rationally possible to create and use (and be affordable), you would already have it." Maybe if that software existed, the company you currently work for would already have it, and maybe you woldn't have a job ;-)
    85,885 pointsBadges:
  • carlosdl
    One should not assume that Nessus or any other security software is always correct. A human is needed to analyse the output and decide what he wants to do with it. On the other hand, it is a good practice to test any patch or software update on a test environment before applying it on the production system. If the necessary equipment is not available, you could use P2V tools to create virtual copies of your servers which you can apply patches to, after which you can run a vulneravility scan on them to determine if you really want to apply the patch on the live servers depending on the result of the vulnerability scan you ran.
    85,885 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: