Jeremiah Grossman: Vulnerability Stack

Friday, November 10, 2006

Vulnerability Stack

Enterprise security professionals have the responsibility of dealing with vulnerabilities. They have to find and fix as many issues as possible wherever they happen to pop up. Varying from one environment to the next, this can be a REALLY big job. To keep up many enlist the help of commercial and open source solutions. The problem is there are perhaps 100’s, or more, vulnerability management/assessment/scan/remediation/consulting vendors all targeting a specific niche of the vulnerability stack in their own special way. It’s a confusing landscape to say the least.In my position I get asked a lot about who covers what, how is it different from the other guy, or how good is it. I do my best to keep track of these things since it’s my business to know and want to give educated answers. I thought it would be helpful to create a couple of graphics that people researching solutions would be able to use. Less confusion = good.

The first graphic is my take on the “vulnerability stack”, the areas of focus for vulnerability scanning/assessment solutions. This is helpful for asking vendors what area they cover. There are probably some areas I missed, but it’s a first draft. If my technical vulnerabilities and business logic flaws terminology is confusing, please see Technology Alone cannot Defeat Web Application Attacks: Understanding Technical vs. Logical Vulnerabilities

The second graphic is a vulnerability scanning/assessment vendor comparison chart. Here we’re trying to answer the “who covers what question?” and a foundation to ask how they are different. I know some will vendors claim they do more that what the chart indicates, but I’m listing only their main areas of focus. If someone happens to add a web application vuln check or two, it doesn’t make them a network scanner. Likewise if web application scanners adds a few network checks, it hardly a new Nessus. A decent amount of comprehensiveness in the block is required. Enjoy!

6 comments:

Anonymous said...: Nice chart. You might want to consider turning off the spell checker and re-exporting it...

(Not trying to be snarky, consider this a bug report and a genuine compliment in one.); November 13, 2006 at 10:53 AM
Jeremiah Grossman said...: darn, that was the second time someone mentioned that, so it had to be fixed. The red underlines have been removed from the image. Thanks for the feedback!; November 13, 2006 at 12:25 PM
Anonymous said...: Nice framework! Don't forget databases (ex. Oracle), packaged apps (ex. PeopleSoft), and custom apps.; November 14, 2006 at 7:57 AM
Anonymous said...: Where's Internet Security Systems? A big market leader should show up, right?; November 14, 2006 at 8:35 AM
Jeremiah Grossman said...: Thank you for the comment and made some updates to the vulnerability stack image and added ISS to my vulnerability comparison chart. I'll probably need to update this again to match the stack image better. These should do for now though.; November 14, 2006 at 10:40 PM
Adam Scott said...: Security is the degree of protection against danger, damage, loss, and criminal activity. Security has to be compared to related concepts: safety, continuity, reliability. The key difference between security and reliability is that Security System must take into account the actions of people attempting to cause destruction.; September 29, 2010 at 12:17 PM

Post a Comment

BIO

Jeremiah Grossman brings 20+ years of experience in Computer Security and has become one of the most recognizable and world-renowned cybersecurity experts in the industry, coining several of the original hacking terms commonly used around the world today. Early in his career, Jeremiah was known as “The Hacker Yahoo” which led to his role as the company’s Information Security Officer. Jeremiah founded WhiteHat Security (now Synopsis), and served as Chief of Security Strategy for SentinelOne which was the highest-valued cybersecurity IPO in history. Most recently, Jeremiah was the founder & CEO of Bit Discovery, which was acquired by Tenable in 2022. He also serves as a company advisor and board member to several tech startups. In his spare time, Jeremiah does Brazilian Jiu-Jitsu and is passionate about classic cars. He recently opened Toybox, a luxury car club in Boise, Idaho.