[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Too Scared To Scan
From:       InfoSec News <alerts () infosecnews ! org>
Date:       2013-03-28 7:17:57
Message-ID: alpine.DEB.2.02.1303280217460.22851 () infosecnews ! org
[Download RAW message or body]

http://www.darkreading.com/security/application-security/240151869/too-scared-to-scan.html

By Ericka Chickowski
Contributing Writer
Dark Reading
March 27, 2013

When it comes to detecting vulnerabilities in mission critical applications, 
security professionals often find themselves in a bind. These are usually the 
applications that the enterprise can least afford to suffer a hack. But at the 
same time, they are also the applications whose owners are most likely to balk 
at security testing or scanning probes while they're live. These opponents to 
vulnerability scans on production applications point to the near-infinitesimal 
tolerance for downtime or disruption as reason enough to leave well enough 
alone. But according to security professionals, someone will eventually find 
those vulnerabilities and if the organization doesn't do it first odds are it 
is the bad guys who will ferret out the flaws.

"Scanning production applications is a challenging proposition, as availability 
and data integrity are paramount for organizations," says Wolfgang Kandek, CTO 
of Qualys. "However, security has become as important as availability, and 
anyway, attackers are doing their own scanning to map out the assets of the 
organizations, whether we like it or not."

The fact is that organizations can't fix what they don't know about and when it 
comes to many of their most important production applications many enterprises 
just don't have the visibility to discover potentially disastrous flaws.

"If you're not scanning production systems for vulnerabilities, you're almost 
guaranteed to leave some risk to your most critical assets undiscovered," says 
Tim Erlin, director of IT security and risk strategy for nCircle. "There is no 
way to manage and mitigate undiscovered risk. The trend is definitely towards 
more frequent scanning, but there's no doubt that there are multi-billion 
dollar companies out there that don't have a consistent scanning program."

[...]



______________________________________________
Attend #HITB2013AMS April 8th - 11th in Amsterdam.
Featuring over 42 international speakers and keynotes
by Bob Lord and Edward Schwartz http://conference.hitb.org

[prev in list] [next in list] [prev in thread] [next in thread]