But the point is that the original poster is NOT the one running the scan. And the results of the scan (complaining about vulnerabilities based on version numbers) indicates that it is not a true 'security' scan anyway. For (almost) every CVE issued, there is a way to mitigate the risk that does not involve installing "the latest and greatest with all the new fixes". It is at best a superficial scan of the type that is sold to PHB's so they can "check the box".
I've spent a lot of hours trying to educate auditors.
On Wed, 30 Jun 2010, Frank Cox wrote:
The point is that the security scan is supposed to be verifying that your setup is, in fact, secure. If you change your setup before running the scan, and then change it back immediately afterward, how is that verifying that your setup is, in fact, secure? What you scanned != what you are actually using.
If your purpose is simply to check off a box on a form, why not just write the Sooper Dooper Security Scanner yourself?
---------------------------------------------------------------------- Jim Wildman, CISSP, RHCE jim@rossberry.com http://www.rossberry.com "Society in every state is a blessing, but Government, even in its best state, is a necessary evil; in its worst state, an intolerable one." Thomas Paine