Questions tagged [vulnerability-management]
The vulnerability-management tag has no summary.
72 questions
4votes
0answers
141views
What if MITRE's CVE goes dark? [closed]
With the recent news that MITRE's contract to maintain the Common Vulnerabilities and Exposures (CVE) program is set to expire on April 16, 2025, there's concern about the future. Also see this ...
- 141
1vote
0answers
53views
How to manage a lot of vulnerability scanners from CICD Pipelines?
My company has a lot of projects and uses various vulnerability scanners (e.g. Trivy, npm audit, SAST,...) in different stages in each of them. The Problem is now that although they run well, it's not ...
- 111
1vote
1answer
988views
Is CVE-2024-20666 Bitlocker vulnerability mitigated by disabling Windows RE or removing the recovery parition?
Taking Microsoft's page on CVE-2024-20666 at face value, that Bitlocker vulnerability is darn serious in an "evil maid" attack: A successful attacker could bypass the BitLocker Device ...
- 1,295
0votes
1answer
102views
What does a "?" mean in Common Product Enumeration (CPE)?
I looked at the documentation for cpe Naming Specification Version 2.3 http://csrc.nist.gov/publications/nistir/ir7695/NISTIR-7695-CPE-Naming.pdf Specification says, "*" or "-" is ...
1vote
1answer
322views
Vulnerabilities in Build-time Libraries Could be a Security Threat
If a dependency that is used in development environment or at build time has a security vulnerability, could it cause a security threat for the application? I'm looking for an example to understand ...
- 121
1vote
1answer
113views
Vulnerability: Standalone Library vs. Same Code Elsewhere
Are libraries inherently more vulnerable than in-house application code? The speaker of this talk generally advises folks against creating wrapper libraries for Erlang in Elixir rather than just ...
- 212
1vote
1answer
351views
Is there a way to check if vulnerability introduced by npm package is reachable/exploitable
I have a problem where I have too many vulnerabilities on a few hundred repositories introduced with outdated npm packages. The issue is that I need to find a way to prioritize this. The biggest pain ...
- 11
1vote
1answer
143views
Security for a Windows application running in a corporate network
I know security is pretty important for the web application, but what about windows applications running in a corporate environment, network, not accessible from outside. Do we need to treat security ...
- 111
0votes
3answers
588views
How to manage my vulnerability scan reports efficiently
My company uses multiple tools for vulnerability scanning. We have Nessus Pro for network scanning, White Source Bolt and GitHub Dependabot for dependencies, and SonarQube for source code, and Burp ...
- 29
1vote
2answers
1kviews
Manually Validating Vulnerabilities from a Vulnerability Scan
How do you manually validate vulnerabilities from a vulnerability scan or a vulnerability release from a vendor? Say you received a report with a high vulnerability. The vulnerability scanner used a ...
1vote
1answer
724views
What is difference & link between threat modelling and vulnerability assessment?
My understanding is that, threat modelling is used at the design stage to identify the possible threats, prioritize them and help in identifying security requirements/security controls. Vulnerability ...
- 191
2votes
1answer
364views
vulnerability management 101
Looking at a typical vulnerability scan report from Nessus or Qualys most people are terrified, lost, and basically with more questions than answers. For example, how on earth am I going to deal with ...
- 1,598
40votes
4answers
7kviews
How do open-source projects prevent disclosing a bug while fixing it?
I understand that many open-source projects request vulnerabilities not to be disclosed on their public bug tracker but rather by privately contacting the project's security team, to prevent ...
- 3,940
0votes
0answers
116views
Chrome Vulnerabilities are detected in vulnerability scan even after upgraded with latest versions [duplicate]
Had few chrome vulnerabilities [CVE-2020-6420] detected by BI(Retina). Upgraded the affected machines to chrome version 84.0.4147.89. After re-scan still the same vulnerabilities are detected. Anyone ...
0votes
3answers
327views
Vulnerability management benchmarks
Despite the continuous effort in our company to resolve vulnerabilities, we are still reporting a significant number of vulnerabilities after each scan we perform. We would like to understand if ...
