tag:blogger.com,1999:blog-7098426205010328379.post1935523983233853459..comments2023-08-20T02:19:46.390-07:00Comments on Assuming the breach: Hofstadter's Corollary on RemediationPlanet Heidihttp://www.blogger.com/profile/07887831060071362491noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-7098426205010328379.post-52109314876282451002012-08-08T08:17:05.999-07:002012-08-08T08:17:05.999-07:00Agreed that as a consultant (and I was an infosec ...Agreed that as a consultant (and I was an infosec consultant for 7 years so I am familiar), it's very useful to scale the vulnerabilities. Things I'd be happy with: rating the severity of the vulnerability and not necessarily add an estimate of remediation effort. <br />Or caveat-ing the remediation effort - "Relatively easy remediation based on average organizational resources etc."<br />Or gathering SOME information from the client before answering... as opposed to guessing completely blind (which has been my experience with all vendors so far)Planet Heidihttps://www.blogger.com/profile/07887831060071362491noreply@blogger.comtag:blogger.com,1999:blog-7098426205010328379.post-11833825539440077702012-08-08T07:53:50.930-07:002012-08-08T07:53:50.930-07:00While I agree with nearly everything you've sa...While I agree with nearly everything you've said, the fact of the matter is the consultant needs to (should) convey some idea of the relative effort to remediate the vulnerabilities found. Every vulnerability isn't as important, nor as difficult to fix, as the others.<br /><br /> As a consultant, I can never know all the things that might influence the effort required (and you're certainly not going to pay me to find out), so I have to go with some sort of scale. "Low ,med, high" may not be accurate, but "High, very high, very very high" isn't any better.Anonymousnoreply@blogger.com