Practical Vulnerability Management

by Andrew Magnusson

A hands-on guide to improving an organization's computer security and developing scanning tools on a budget.

Practical Vulnerability Management discusses the components of a vulnerability management program and shows the reader how to build a free or low-cost system to automatically handle the repetitive aspects of vulnerability management. Vulnerability management is a critical and sometimes neglected aspect of information security. It consists of two main parts: awareness and action. First, the security practitioner must be aware of the vulnerabilities that exist in an organization's systems and understand how dangerous each one is. Second, that information must feed into an ongoing process of addressing vulnerabilities by updating the vulnerable systems or otherwise mitigating their severity.

Genres: Reference, Business, Technology, Nonfiction

270 pages, Paperback

Published July 7, 2020

Reviews

[Christopher Brown · Rating 3 out of 5]

There's some decent fundamental information in this book about vulnerability management, but it just misses the mark of what it portends to be given the title, front/back cover, and associated descriptions. There's not much practical about anything in there, and of what is, it was out-of-date by the time the book was published, which affects most books and other information sources in the technology and security world. I think we do need more treatises on vulnerability management (and today, also referenced as exposure management, among other buzzwords) as the current ones either purposefully or unknowingly miss or dance around the root problems that plague those programs that are generally unsuccessful. While there are always better ways to detect vulnerabilities, exposures, and/or any other entity that we might claim presents some level of risk from a technical standpoint, the "detection" part of VM/EM has generally been solved, at a conceptual high level at least. The difficult, and in my opinion, complex issues that prevent VM/EM programs from realizing success are less tangible than some notional VM/EM circular/recurring process that one might find in some marketing material or the like. I will just state it like this, for the sake of brevity: at least up front, generally speaking, nobody cares if a security practitioner has found one million "vulnerabilities" or a thousand, or whatever. All that data looks cool in the detection tools, sure. However, without alignment to an organization's mission or vision, and/or its critical function(s) clearly articulated in a recurring and understandable fashion, VM/EM success will be nearly impossible to obtain. I would argue that books (emphasis: plural) could and should be written diving deep into those last two sentences alone. This one just doesn't even approach anything of the sort.

[mirror · Rating 4 out of 5]

straightforward, textbook
this was a helpful overview on how to approach vulnerability management, felt comprehensive while not being bloated w useless information
the hands on portion helped see how to put the theoretical parts together

[Nigele McCoy · Rating 4 out of 5]

Very simplified approach to explaining vulnerability management. The part 2 of the book is interesting and is a nice project to understand the inner workings on how commercial vulnerability management software works. Very easy and simplified read.