Skip to main content


Showing posts from June, 2021

Vulnerability States and the Over-Reliance on Numbers from Tools

I've just had a discussion with a fellow Head of Cybersecurity around vulnerabilities and two things struck me that people need to understand: firstly, vulnerabilities have different states and secondly, scanning tools don't have all the context so can't actually tell you what risk you are running.  Our discussion started with a statement from them that vulnerabilities are black and white - they're either there or not. It's actually a bit more nuanced than that though. Without making this more complicated than it needs to be, inherently there are two states a vulnerability can be in: exploitable or unexploitable (sometimes called active or dormant with other subtleties). This doesn't mean that they are being exploited, but that it is either possible to exploit the vulnerability in the current configuration (however hard that may be) or it isn't without some other change happening first.  In our discussion, my peer argued that if it is unexploitable then ther