When a vulnerability scanner such as QualysGuard reports its results, it includes mitigation recommendations. These recommendations must be incomplete; for example, the scanner cannot be aware of any constraints you may have placed upon network access or traffic. A vulnerability scanner can report what it sees. Suggested remediation and mitigation measures clarify what it is reporting.
Nonetheless, suggested remediation measures should not be misleading. If, for example, a vulnerability in OpenSSH is detected, a simple recommendation such as “upgrade to OpenSSH 3.6.2 (or later)” would be incorrect for Linux distributions which include OpenSSH. Instead, the recommendation should be “install vendor update or upgrade to OpenSSH 3.6.2 (or later).” That is, you should install the operating system vendor’s update unless you have a very good reason not to.
- The operating system vendor’s update will be available before the product’s general release.
- The operating system vendor’s update is a managed update. The vendor will have difficulty supporting you when you introduce component variation.
There are many examples of mitigation recommendations which could be clearer. I began assembling them into a Microsoft Word document “Vulnerability Remediation Synopsis.docx“. It is not complete, but may be of value to anyone reviewing mitigation measures.
When involved in remediation, use a tool to plan the work. See Threadfix.