When analyzing vulnerability scan results:
- Determine an approach to categorizing client assets.
- Categorize assets according to the approach you've chosen.
- Identify the reasons why a scanner may produce false positives.
- Conduct results validation by comparing results to what you know about the target environment.
- Acknowledge that you may not be able to eliminate false positives entirely.
- Rank vulnerabilities in terms of the potential threat they pose.
- Consider using an established ranking system like the CVSS.
- Determine vulnerability priorities to use your time and money as effectively as possible.
- Use threat rankings to influence how you prioritize vulnerabilities.
- Strike a balance between a vulnerability's impact and its ease of exploitation.
- Consider mitigation costs as an effect on your vulnerability prioritization.
- Identify common themes in your vulnerability results and target observations.
- Leverage a pattern of behavior on future testing efforts.
- Use common themes to develop a more complete picture of the target environment.