In Qualys, is .Net considered an OS level vulnerability or an application?
Thanks in advance,
I'm not sure Qualys makes that call. I fought this battle with my admin teams for quite a while because they claimed .NET was an application so they weren't responsible for patching. Once I proved to them that .NET is bundled with the OS and you cannot remove it, they gave in. I consider it to be OS as a result. If you want to call it an application, then it would be a bundled application tied into the OS. Definitely not on the same plane as something like 7-zip.
I agree with Mr. Greene. It will depend on the specific environment.
Now in our environment we need to strike the balance between for example the OS and what people expect.
Take a look at Microsoft SQL Server; is it part of the OS. In my opinion NO. However; depending on the development team a lot of them will assume the corporate patching is patching SQL Server. From a security point of view and patching groups would normally consider "auto-patching" SQL Server and the like presents an unacceptable risk to the business on their side.
At that point it is more towards that development group or business to do their own validation that a SQL Server patch will not cause a Major issue.
Sometimes we strike the middle ground of we auto-patch NON-Production; and if no issues reported in 2 weeks production gets patched or something like that.
It will still not address the cornucopia of software installed that needs patching but is not patched by the corporate environment. If you have a governance and license group this will help as they often have a lot more teeth.
All of this gets even more complicated in Linux where even a Data Center install will come with things like CUPS Service for printing; I am not doing this in my data centers so even with that I am removing a ton of services that just are not needed. I don't think Bluetooth is generally needed in the Data Center for instance; in those case you may apply an auto-update on security patches.
Bottom line it will all depend on your environment(s) and the risk appetite of the organization(s) your dealing with.
if I can help please let me know.
Thank you both. Makes sense and I agree.
Retrieving data ...