• @cannibalkitteh
    link
    71 month ago

    Part of my job used to involve explaining patch supersedence to leadership so that they had a clear idea of why a totally different patch needs to be loaded to address a vulnerability reporting a different patch number in the scanner.

    • @yannic@lemmy.ca
      link
      fedilink
      11 month ago

      Tenable (or how our security folks have our scans configured) doesn’t seem to get that.

      • @cannibalkitteh
        link
        21 month ago

        I used to have to explain it to them too, but could usually get them to understand by referencing the CVE and the breakdown from the MS security updates guide.

        • @yannic@lemmy.ca
          link
          fedilink
          21 month ago

          My favourite is:

          Them: We want less red in the pie chart. Fix that remote vulnerability.

          Me: We don’t even have that component enabled. It’s reporting on a DLL file version, not the vulnerability itself.

          Them: Just lower our vulnerability score.

          (Me wondering if I deploying dozens of fully-patched systems would have the same proportional effect)