Richard Bejtlich just put up a post about the debate around whether we as security practitioners should focus on vulnerabilities or on threats.
I commented on his post, but thought it worth it to reproduce my thoughts here as well. Here’s what I said: