On a slow Saturday in May I thought I would open the forum for discussion here at the ISC on a topic. I am working on a project to update the Continuous Vulnerability Assessment (CVA) capability for a client, and I have found a lot of good information on the web. What I havent found a lot of is good experiences on the web. Guy Bruneau wrote a great article in October on CVAand Remediation for the Critical Controls discussed in October.
First off what is a vulnerability assessment? Wikipedia defines a vulnerability assessment as the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Vulnerability assessments are often confused with penetration testing, however these two functions serve different roles in a the organization and the overall security assessment. A CVA program, as a component of the overall enterprise systems management program, needs to consider the process for asset identification, vulnerability reporting and remediation.
Information I have collected runs the gamut of technical and marketing information. A great report on assessment tools is available here. Search the web for Vulnerability Assessment, Continuous Vulnerability Assessment, or CVA and the results range greatly. Technical, marketing, best practices, etc., but what is not abundant is experiences. What Im asking of you today is input on experiences and challenges that you've encountered in your implementation or update of a CVA program. Id love to hear about both the technical and environmental challenges encountered along the way. Ask yourself If I had to do it differently, what would I change? thats what I would like to hear.
tony d0t carothers - gmail
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.