Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
vrighter 3 days ago

because you end up spending a non-trivial amount of time with "soc analysts" bugging you about a bluetooth vulnerability on an os installed on a virtual machine on a server that lacks bluetooth hardware, for example

MattPalmer1086 3 days ago | parent | next [-]

This is an unfortunate truth of a lot of security people and processes. A blind checkbox-oriented "CVE reported so must fix" approach.

I just had one where we were asked to remove a management client for an internal server that had a DOS vulnerability reported (which could not be triggered by the management client). I pointed out that removing the client does not mitigate the DOS issue - and we would be effectively causing a denial of service on ourselves! No dice. Scan shows vulnerable version, must make number of reported vulns go down. Zero thought, huge effort.

It does huge damage to security and the business to take this kind of approach, but it's depressingly common.

esseph 3 days ago | parent [-]

It's because legal liability is tied up in it and therefore insurance.

MattPalmer1086 2 days ago | parent [-]

That may explain some of it, but I've seen it all over, including in places I know that is not the case.

Mostly I think it boils down to a combination of a CYA mentality, risk averse managers and unskilled security personnel.

Making a decision that this Critical (potential) vulnerability does not need fixing is a decision that none of the above want to make and stand by, or have to explain.

betaby 2 days ago | parent | prev | next [-]

That's how it work in our company.

zingababba 3 days ago | parent | prev [-]

This is why CVE sucks, no context.