Trust but verify
Someone tells you they have fixed something, now go and check! You might find that it is not actually fixed, or that the ‘fix’ made the issue worse (or makes new vulnerabilities appear). You might however also find that the vuln is gone.
Wow so many options, but the reality is with this space is that you have to keep checking, you also need to validate.
Validation is key, people do not say that think it is fixed because they have not done something, we all have scenarios where we make a change, assume it works and then find out later that maybe a bit more testing would have helped (I have this too!).
Try, Try Again
If you are in the offensive security space, you will have heard the infamous ‘try harder’ phrase. I wrote about this a while ago that I think ‘keep trying’ is more appropriate but either way, this also applies to blue-team work.
As a defender you want to know that your controls are likely to hold up, not assume they will. This is not a perfect science because there may be vulns you cannot test for or that are not even discovered yet but to throw the baby out with the bath water is a fool’s approach. Better to test what you can in line with the constraints than simply hope.
When we look at the vulnerability management process, it is iterative. It requires us to constantly discovery, assess, prioritise, remediate but critically it requires us to validate!
The duraion, perspectives, frequency and exact methods you use will vary. Having multiple viewpoints is a great idea as well as conducting tests from an unauthetnicated and unauthetnicated perspective. Vulnerability management is for sure a purple team activity so however you look at this, they key to it is ensuring it’s effective not only in discovery but also in remedaiton.
Summary
Generally speaking, you do not get caught out by what you know bout, it is what you do not that gets you in this game. By having a continual vulnerability management process and by validating your controls you will greatly improve your security posture, reduce business risk, and get better return on investment. What is not to like!