[转载]Interpreting the Results of a Vulnerability Assessment

原始出处：http://www.infosecwriters.com/te ... essment_KBeaver.pdf
文章作者：Kevin Beaver, CISSP, and Caleb Sima

Web application security testing tools are extremely savvy and are able to root out vulnerabilities in minutes that would take the best hacker in the world hours, months, or more to find. The issue is that you’ve got to take the tool results and determine what actually matters in your environment. We’ve seen inexperienced Web application security consultants, managed security service providers, and auditors run vulnerability assessment scans and then hand the results over to their clients purporting they have a bunch of problems that need to be fixed. Likewise, we’ve seen network administrators absolutely freak out when they see that their Web application security testing tool has found a dozen or more vulnerabilities. They believe the sky is falling and immediately run to management asking for more budget to buy more technology to fix the problems.