Comments on: WhiteHatSec Innovation http://www.mikeandrews.com/2008/03/18/whitehatsec-innovation/ Fri, 09 Apr 2010 12:01:55 -0700 http://wordpress.org/?v=2.9.2 hourly 1 By: Mike http://www.mikeandrews.com/2008/03/18/whitehatsec-innovation/comment-page-1/#comment-84 Mike Thu, 20 Mar 2008 15:46:52 +0000 http://www.mikeandrews.com/2008/03/18/whitehatsec-innovation/#comment-84 Mitigate might not be exactly the right word (I'm glad I'm not the only one that struggles occationally to find the best word/phrase), but I dont think remediate is it either. Mitigate is "To make less severe or more bearable" whereas remediate is "The act or process of correcting a fault or deficiency". The former (to me) means something temporary, or at least not a total solution whereas the latter is more "permanent". I dont think I'd like to see VA+WAF become the latter, whereas the former I could live with for a short while. As for what % of vulns I would expect to be fixed - I would expect (if I were the security manager) 100% or at least a very high porportion - there are some "vulns", or "findings" in my voculabury, that if it were my site I'd be prepared to live with. In the real world however, it's going to be a lot lower that that - I guess it depends on the org and the number of people (certain clients of mine fix *everything* whereas one or two I can come back to a year later and they have changed nothing), but I would probably take a guess at <50% if VA+WAF was the only approach they were using. Mitigate might not be exactly the right word (I’m glad I’m not the only one that struggles occationally to find the best word/phrase), but I dont think remediate is it either. Mitigate is “To make less severe or more bearable” whereas remediate is “The act or process of correcting a fault or deficiency”. The former (to me) means something temporary, or at least not a total solution whereas the latter is more “permanent”. I dont think I’d like to see VA+WAF become the latter, whereas the former I could live with for a short while.

As for what % of vulns I would expect to be fixed – I would expect (if I were the security manager) 100% or at least a very high porportion – there are some “vulns”, or “findings” in my voculabury, that if it were my site I’d be prepared to live with. In the real world however, it’s going to be a lot lower that that – I guess it depends on the org and the number of people (certain clients of mine fix *everything* whereas one or two I can come back to a year later and they have changed nothing), but I would probably take a guess at <50% if VA+WAF was the only approach they were using.

]]> By: Jeremiah Grossman http://www.mikeandrews.com/2008/03/18/whitehatsec-innovation/comment-page-1/#comment-82 Jeremiah Grossman Wed, 19 Mar 2008 01:44:47 +0000 http://www.mikeandrews.com/2008/03/18/whitehatsec-innovation/#comment-82 Thank you very much for the kind words, I appreciate it. I've been really trying to find the right word(s) to articulate what the VA+WAF provides. Does it "mitigate"? You say nay, but I tend to like that word the best. "Remediate"? Eh, I didn't like that one. Resolve? I think we're on the same page that the vulnerability still needs to be fixed in the code, though I really can't find the right word to describe the benefits that makes everyone happy. I so loathe these matters of semantics. Here's a hypothetical question for ya, should the solution work as advertised, what percentage of vulnerabilities would you expect to be fixed in the code after the fact? Interesting thing to ponder. Your pros and cons discussion about SaaS vs. Consulting vs. Product is a good one too. From my point of view some independent reviewer should really take a shot at comparing the options despite being apples and oranges. I mean customers have to do it today already, why not give them some assistance ahead of time. Thank you very much for the kind words, I appreciate it. I’ve been really trying to find the right word(s) to articulate what the VA+WAF provides. Does it “mitigate”? You say nay, but I tend to like that word the best. “Remediate”? Eh, I didn’t like that one. Resolve? I think we’re on the same page that the vulnerability still needs to be fixed in the code, though I really can’t find the right word to describe the benefits that makes everyone happy. I so loathe these matters of semantics.

Here’s a hypothetical question for ya, should the solution work as advertised, what percentage of vulnerabilities would you expect to be fixed in the code after the fact? Interesting thing to ponder.

Your pros and cons discussion about SaaS vs. Consulting vs. Product is a good one too. From my point of view some independent reviewer should really take a shot at comparing the options despite being apples and oranges. I mean customers have to do it today already, why not give them some assistance ahead of time.

]]>