Reindl Harald writes:
Am 07.01.2012 06:35, schrieb Digimer:
>> if you have a big customer which hires a 3rd party auditor
>> you are NOT in the poisiton to give such arguments or
>> you can give them but you can not change ANYTHING in
>> the fact that finally "fix it or shutdown the service"
>> is what you have to do
>
> If you have a "security expert" who can't grasp the concept of
> back-ported bug fixes, and is unwilling to test for specific
> vulnerabilities' existence, it's time to get a new expert.
you are missing the point A BIG CUSTOMER has a security-expert
Tell your customer to ask for their money back. Offer to set up a test
server that their fustercluck of a scanner will claim to be vulnerable, yet
is not.
Or, better yet, tell your customer that you'll be happy to set up a server
that'll pass their nonsense of a scan, yet is vulnerable to some old exploit.