There are several assumptions about information security reports that aren’t always accurate. In this blog, we’ll address common assumptions we’ve heard and correct the misconceptions surrounding them. In our previous blog, we discussed the different parts of informatino security report and what makes a good report. You can read our previous blog here.
“Low-level findings aren’t worth fixing”
One of the most common assumptions is that low-level findings or weaknesses aren’t worth fixing because they’re so insignificant. This may be true in the sense that such a vulnerability or weakness alone may not cause major problems. Companies can make their own decisions about prioritizing which findings to fix, but the number of low-level findings or weaknesses should be taken into account in decision-making. Quite often, there may be nearly ten different weaknesses reported. Together, these can increase the likelihood of successfully exploiting a more serious vulnerability. Security is often described using the onion model—meaning security should be thought of as different layers of an onion. A single layer alone doesn’t do much, but when multiple layers are added, the system is much better protected.
“Even one finding means security has failed”
Another frequently heard assumption is that if any findings are made about a system, security can be considered a failure. Perhaps this relates to the fact that you rarely hear companies talk about security vulnerabilities found in their systems, and much more often only that security testing has been conducted. However, it’s extremely rare for a tested system to have no findings at all in the report. There’s almost always something small to note from a security perspective. Systems are often developed and tested during development one feature or new component at a time, and the entire system as a whole is rarely reviewed comprehensively. For software developers, the system is also thoroughly familiar, which can make it difficult to see the whole picture with fresh eyes. This is why it’s good to have an outside party review the system and verify that all system components work together as intended. And even if a report contains many findings, at 2NS for example, we don’t view this as a failure on our client’s part. The complexity of modern network systems and the rapid evolution of security threats makes protecting systems increasingly difficult. However, we can also help integrate security better into the software development process as needed.
Minja Silvennoinen, Information Security Specialist
2NS Cybersecurity Oy
Does your company need information security testing?