Confirmed vs Potentials
The way humans view things seems to be “We’ll fix what is definitely wrong then go after the rest later”. In many cases this is a sound strategy because time and resource are always limited.
Consider the case though of a search for vulnerablities that turns up strong suspicions of serious issues but for reasons of limited access it isn’t possible to 100% confirm the issue. Overall, it is likely that the vulnerability exists.
“Potential” vulnerabilities are just as exploitable as confirmed ones and if they are flagged as severe then that’s the damage an exploit would do. It’s therefore worth changing thinking around this to seriously consider including potential vulnerabilities as well as confirmed in your Vulnerability management programme.
But won’t that leave me with many vulnerabilities that when investigated lead to no issue being found after all, but my statistics show a worse situation than really exists ? Well maybe. Remember that we are looking at this activity from the perspective of risk. So what can you do to improve the situation?
The use of authentication during the assessment will remove all but the last few potential vulnerabilities. This is because the assessment has access to all information on the target, not just the information provided to external ports and services. That way the real security posture is arrived at.
For any potential vulnerabilities remaining that are subsequently shown not to be an issue then they can be dealt with via “ignoring” (or automatically masking with an explanation as to why) the vulnerabilities. They will still appear during assessment but won’t make their way to reports.