Friday, October 25, 2024

Imagine a Vulnerability Testing tool that defaults to showing you partial results

Well, to my surprise, Tenable.IO has added a new setting that defaults to NOT showing you everything.

So when creating a new scan, you are faced with this new option:

That reads:  

SCAN FOR UNPATCHED VULNERABILITIES (no patches or mitigation available)

Now, once you know this setting exists and it is OFF by default you can obviously set it to ON when you create a new scan.   You can also retrain everyone using the tool so they do the same.

You are still left with TWO major issues.

The least important one:  Human error.   I still accidentally create scans today that have the SHOW SUPERSEDED setting still ON by default because Tenable sets that very very stupid setting to ON by default.  So I and others will certainly launch scans that have this new (and equally stupid) setting OFF and potentially get partial results without knowing it.

The MOST important issue:  All your past scan tasks are now set to OFF on this setting.   This means that for every client we manage, and every scan task (for us, this totals tens of thousands of scan tasks), we have to open each one and set this setting to ON.


What the heck Tenable.  You are a vulnerability assessment and reporting tool.  And in my opinion, this is your main mission regardless of if a fix is published.  

If I have a critical and exploitable vulnerability on a critical system, I want to know so I can decide how I will mitigate that risk.  

Will I turn the system off, will I investigate the issue and see if my other countermeasures can be tuned to reduce this risk, these are risk management decisions that fall outside of your responsibility.  

Your job is to report on vulnerabilities regardless of how easy they are to address and stopping to do this by default is a grave failure.

I am 100% AGAINST THIS SETTING being off by default.  It should be an individual decision taken by your clients.  That setting equates to wanting to be willfully blind.  Today we are told it applies to Red Hat only, but who knows for the future.

I remain stunned that this makes it into production.  If you are going to add new settings that can have large impacts like this, we should also be able to set it globally and not have to do this task by task.

So Tenable users.....

Below is the full panel so that if you decide you want to cancel Christmas and go through all your scan tasks you can easily find this new setting and start clicking.

Or, write me a note, as we will write software to call the API and do this automatically since I am not going to subject myself or my staff to do this manually.

@EVA Team, please add this to our TFCT (Tenable Failure Compensation Tool) that we keep coding to address the shortcomings of this commercial solution.

NOTE:  All these commercial solutions have short comings.  So keep in mind that when I write a negative blog post about Tenable, I do it as therapy and to push Tenable (one of my key partners) to get their act together and stop taking less then ideal decisions.  Since we work with many other tools, I can tell you with great certitude that they all have a long list of short comings.

 


 

----------------------------------

Eric Parent is a senior security expert, specialized in coaching senior executives.  He occasionally teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.


Follow Eric on:

Twitter @ericparent

LinkedIn :  EVA-Technologies

www.eva-technologies.com

No comments:

Post a Comment

Banning TP-LINK..... the correct strategy?

OBJECTIVE:  Something to think about.  This type of news comes around frequently over the last decade.   Should we ban a Chinese manufacture...