Rapid7 has the odd understanding that Security Configurations are a compliance issue, not a vulnerability issue. With all due respect there are only 3 ways to fix/remove a vulnerability; patch it, reconfigure it or update/remove the offending software. R7 is SO fixated on patching that configurations seem to slip to the sideline. The reason it is a compliance check is that your device should be configured to a hardening standard. You must be compliant to that standard. But why is it a stand in the first place. For example, Web Servers will serve up encrypted connections. If not configured properly it will offer weak/obsolete ciphers. And by default Web Servers will do cipher roll-back to honour old browsers and allow it to negotiate the strength of the connection. This can be avoided if the Web Server is configured properly and hardened to a good standard. The fact that R7 dismisses Security Configurations as a mere compliance issue demonstrates a fundamental lack of understanding of vulnerability management. I seriously question R7’s capabilities and where they are taking their products. Nothing has basically changed in the core scanning functionalities in the last 10 years except the introduction of agents. The tool still struggles with basic OS identification and being able to dynamically run appropriate tests. Apparently to properly run Security Configuration scans you have to already know the OS and then setup a SEPARATE scan to target those assets and only run the appropriate hardening tests. Are you kidding me? That is SO much operational overhead. We have a complex environment with firewalls using timed policies to allow scans and now I have to duplicate all of that for configuration scans and break each environment down by OS and service so I can target with the right configuration tests? If you are thinking of using R7 ask about these concerns and see how they answer you. The product is fundamentally flawed, a product that grew out of user requests not actual architecture and meeting scan requirements that are best practice.
1 Like