Guidelines for Analyzing Vulnerability Scan Results

When analyzing vulnerability scan results:

• Determine an approach to categorizing client assets.
• Categorize assets according to the approach you've chosen.
• Identify the reasons why a scanner may produce false positives.
• Conduct results validation by comparing results to what you know about the target environment.
• Acknowledge that you may not be able to eliminate false positives entirely.
• Rank vulnerabilities in terms of the potential threat they pose.
• Consider using an established ranking system like the CVSS.
• Determine vulnerability priorities to use your time and money as effectively as possible.
• Use threat rankings to influence how you prioritize vulnerabilities.
• Strike a balance between a vulnerability's impact and its ease of exploitation.
• Consider mitigation costs as an effect on your vulnerability prioritization.
• Identify common themes in your vulnerability results and target observations.
• Leverage a pattern of behavior on future testing efforts.
• Use common themes to develop a more complete picture of the target environment.