Comment by manfre
3 years ago
Many security compliance scans/audits, especially at larger companies are about checking boxes and not practical security. I've done the same version hiding to get past nuisance reports.
3 years ago
Many security compliance scans/audits, especially at larger companies are about checking boxes and not practical security. I've done the same version hiding to get past nuisance reports.
Versions SHOULD be hidden from public queries. A proper assessment should identify versions anyway, by other means. If you hide them from your assessors to pass a scan, have Cyber insurance and later have an incident, coverage may be invalidated due to fraud (hiding data from assessor) or incompetence on the part of the assessor you hired.
Assessment teams have varying quality. Get the best results for your org you can out of them.
Incompetence is frequent and expected.
I did an assessment once where we were an add on to a third party platform. The assessor (from the third party platform) reports we are using a vulnerable javascript library! I said we're not even using that library, so he must've mixed us up with someone else.
Tons of back-and-forth emails. He eventually sends us a couple of screen shots from browser dev tools. It turns out the guy was talking about a library on their own platform. It took even more back and forth emailing, until we escalated and the problem was resolved.