The VA/PT Conundrum!

The VA/PT Conundrum!

I ran into an excellent presentation done by Ernest Lopez & Matt Linton of NASA on the VA/PT debate. As I delve into this rather innocuous sounding issue, let me tell you that it is not. As a responsible security team we have absolute nightmares when this term is used interchangeably and we have to assume on behalf of the customer as to what it could be!

My educated hunch on why this happens:

 1. Lack of awareness of what constitutes a security assessment, just that one is required!

 2. PT or penetration testing as a term is less technical than a VA – Vulnerability assessment!

 3. The industry accepted notation of them is “VA/PT” which suggests that they are interchangeable terms!

 4. Security teams for the fear of losing business do not dare to differentiate between the two!

Typical EVM Delivery Challenges

Winning an assignment is an important milestone in a business cycle, but delivering it to expectations of the client makes the business repetitive and adds more scope for diversification in length and breadth. As for any delivery unit in a classical IT organization, the Enterprise Vulnerability Management (EVM) group within TCS-ESRM faces the typical delivery challenges. I would like to state these challenges using a case scenario and aim to bring to light, the additional effort each individual of this unit had to strive (beyond levels) to ensure timely and appreciable result. 

Enterprise Vulnerability Management Framework - Part 1

Enterprise Vulnerability Management Framework

The earth has been trembling for a while now, the great Himalayan quake has left the Nepalese dazed and razed. In India we have been rumbling for weeks now, we are all scared of the unknown. None can predict the timing of an earthquake.

My professional service line is equally unpredictable. I work in the area of software security yet I cannot predict a breach. I can map an organization with vulnerable-seismic zones and can quantify the severity of a breach (a la Richter scale) yet I cannot predict the exact timing of a breach.

Like in an earthquake as the great tectonic plates move and collide, the vulnerabilities also connive to move in groups and expose an oceanic trench for the prying hacker waiting with his fishing rod for a prized catch. Vulnerability management often misplaced in the shoes of a vulnerability assessment is not adequate to secure organizations.

Subscribe to RSS - EVM