Why Common Vulnerability Scanning Practice is Useless?

I hope you will find this so obvious but unfortunately security community is highly relied on vulnerability scanning in a way which makes it totally useless or even harmful!  Vulnerability assessment is evaluating of a System against known and potential security flaws. A System is simply a collection of processes, workflows, people, nodes, software…but traditional […]

Vendor Risk Assessment: Hassle or Blessing?!

A Security Questionnaire, RFI, VRA (Vendor Risk Assessment), VR Management…helps customers identify and evaluate the risks of using a vendor’s product or service. Performing such a review is sometimes mandatory based on the industry (e.g. healthcare). During this standard business process, customer collects written information about security capabilities of a supplier and you could barely […]

ISMS is Not equal to Real Security!

Is having an information security management system equal to actual security?  Nop! Having an information security management system is not an indication of quality of security controls. Management systems are easier way of administration in a standard and systematic way, but they do not necessarily an indication of security control effectiveness.  As an example, ISO […]