Should We Focus on Vulnerabilities or Threats?

Richard Bejtlich just put up a post about the debate around whether we as security practitioners should focus on vulnerabilities or on threats.

I commented on his post, but thought it worth it to reproduce my thoughts here as well. Here’s what I said:

Related posts:

1. Geeking Out on Air Quality Measurement

2. My Journey to Beginner Audiophile

3. Explaining Threats, Threat Actors, Vulnerabilities, and Risk Using a Real-World Scenario