Can the issue be recreated manually?
Use manual techniques and non-scanner tools to confirm the issue.
Can the software and version be confirmed?
Manually fingerprint the affected host/service and compare the exact version numbers to known vulnerable versions.
Is the remediation suggestion given by the scanner accurate?
These suggestions can often be incorrect, outdated, or irrelevant to the specific system. Further research may need to be done to produce accurate information.
Is the remediation suggestion tailored to the environment?
The canned suggestions given by the scanner are often only relevant to one software stack. For instance, most suggestions provide guidance for remediating issues in Apache, but not IIS, Tomcat, or nginx.
Who should receive the remediation guidance?
Find out who owns the asset. Find out if developers need to be brought in. Find who has permissions to make and deploy changes.
Is the remediation guidance in terms the asset owner will understand?
Some asset owners are more technical than others. Some are technical but only in their specific niche. Tailor the remediation guidance by using terms that the asset owner will understand.
What is the best way to deliver the guidance?
The issue might need to be emailed out, put into a ticketing system, opened in a code management system, or some combination of all these options.
Did the issue appear in the next scan?
If the issue did not appear in the next scan, then this is a good indication that the issue no longer exists.
Does the issue warrant a manual retest?
Critical, high severity, or difficult to patch issues may warrant a manual retest to ensure the remediation was implemented correctly. These suggestions can often be incorrect, outdated, or irrelevant to the specific system. Further research may need to be done to produce accurate information.
Interested in learning more about VerSprite’s Continuous Vulnerability Management Service?