Everybody’s Talkin’… no one’s doing?
Talking to a CSO of a fortune 500 company and a CSO of a bank… asked them if they ran scanners or vulnerability assessment tools on their home systems.
No. Of course no. 0-3. And pretty much no one I know in the security profession does… it’s way too painful, way too hard, way too… much of a pain in the ass. We talk the talk, but don’t walk the walk.
Jesus, what a fuckin’ pain to run nessus, qualys, metasploit, you name your scanner. Sure, maybe once. It sort of works. Then it’s your turn to decipher the cryptic outlook. Medium vulnerability… hmm. But over time… who really watches? What should I do?
No one knows.