Info

Paul's Security Weekly TV

Security news, interviews, how-to technical segments. For security professionals by security professionals. We Hack Naked.
RSS Feed Subscribe in Apple Podcasts
Paul's Security Weekly TV
2020
November
October
September
August
July
June
May
April
March
February
January


2019
December
November
October
September
August
July
June
May
April
March
February
January


2018
December
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
July
June
May
April
March
February
January


2015
December
November
October
September
August
July
June
May
April
March
February
January


2014
December
November
October
September
August
July
June
May
April
March
February
January


2013
December
November
October
September
August
July
June


Categories

All Episodes
Archives
Categories
Now displaying: Category: topic,Patch Management,Vulnerability Management
Oct 1, 2020

There was a pretty extensive discussion on the Discord server during last week's show that we thought was appropriate to discuss on air. Josh kicked off the discussion by asking, "Anybody know any vulnerability remediation timeline guidance? Formalized, scientifically based stuff?" Josh further clarified, "just trying to find the science behind why and when I should give a crap about vulnerabilities". He finally stated, "I am troubled by the lack of empirically based standards of remediation timing, remediation prioritization, remediation adjustment/offsets based on compensating controls." This launched a multi-threaded conversation that touched on vulnerability management, how to pass various compliance audits/assessments, the many vendors that have latched on to "prioritization" of vulnerabilities, or simply "Risk-Based Vulnerability Management". Of course, PCI became a focal point for much of the discussion because of the mention of vulnerability management, compensating controls, remediation timing, etc. - all of which is addressed within the PCI DSS (despite what Quadling thinks). We're going to try to find consensus on the problem, possible solutions (based on recognized sources), and provide advice.

 

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/scw45

1