Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Security Basics: Re: Vulnerability Scanning Doesn't Work

Re: Vulnerability Scanning Doesn't Work

From: Adriel T. Desautels <ad_lists_at_netragard.com>
Date: Mon, 12 Jan 2009 22:47:58 -0500

Michael,
        Let me clear it up for you. Automated tools, like vulnerability
scanners, are great when used properly and responsibly. They save
time and energy by finding low hanging fruit. Thats where it ends.

        Many vendors produce deliverables that are the product (direct or
indirect) of automated tools. Those products are not only poor quality
but usually have no to minimal human talent involved. In my opinion
those businesses are providing a disservice and selling their
customers a false sense of security.

        What is the customer paying for anyway? Are they paying you to click
a button and run a scan, or are they paying you for your security
expertise? In too many cases security providers call themselves
experts but all they do is click that scan button. The unfortunate
truth is that this has become the norm and their customers don't even
know it. The fraudulent security providers are in fact taking
advantage of their customers. That's my beef.

        And so what if the customer requests that service? The provider is
supposed to be the expert. Educate the customer about what real
security testing is. Don't be a vulture and take their money because
its easy, actually help them protect their assets.

        Anyone that knows a thing or two should know why automated scanners
just don't cut it. Its like I said before, automated vulnerability
scanners can not protect you from hackers. If you think that they
can, then you just don't know what you are doing. :)

        

        

On Jan 12, 2009, at 10:04 PM, Michael Condon wrote:

> I'm not sure what the beef is here. All automated tools only get you
> only as far as their inherent limitations. And most seem to come to
> different conclusions.
> A skilled manual pen tester can do some/all/maybe more than an
> automated tool, but will probably wrap his/her methodology - into
> their own automated tool.
> I agree with NeZa, it's best to act further based on the results of
> an automated tool - whether it's your own or someone else's. But no
> matter how far you go, you're still always one move ahead or behind
> a moving target.
> It's software. I don't like the laws of probability or the effects
> of gravity and weather either.
>
> --------------------------------------------------
> From: "Adriel T. Desautels" <ad_lists_at_netragard.com>
> Sent: Sunday, January 11, 2009 3:13 PM
> To: "NeZa" <danuxx_at_gmail.com>
> Cc: "ArcSighter Elite" <arcsighter_at_gmail.com>; <me_at_abegetchell.com>;
> "pen-test list" <pen-test_at_securityfocus.com>; "Security Basics" <security-basics_at_securityfocus.com
> >
> Subject: Re: Vulnerability Scanning Doesn't Work
>
>> NeZa,
>> Its possible to assess the security of an application without
>> automation while being much more through than an automated tool. Its
>> also very time consuming and expensive though.
>> On Jan 9, 2009, at 2:15 PM, NeZa wrote:
>>
>>> I will based my comments on Web Application Vulnerability
>>> Scanners....
>>>
>>> The main thing is related to Automated and Manual (which i called
>>> Educated) Testing.
>>>
>>> Even if you have a talented team of hackers you need to use some
>>> Automated effort, because, lets suppose you have some good XSS,
>>> XSRF,
>>> SQL attack strings to inject but you can not do it manually against
>>> hundreds or thousands of GET/POST right?
>>> You need to automate, so definitely in order to have the best
>>> results
>>> you need to use a combination between Vulnerability Scanner
>>> (automated
>>> effort) and telented hackers (educated testing).
>>>
>>> "Educated Testing starts when Automated Scanning finish" because
>>> there
>>> are things a machine can not see.
>>>
>>> My 2 cents.
>>>
>>> On Thu, Jan 8, 2009 at 12:03 PM, ArcSighter Elite <arcsighter_at_gmail.com
>>> > wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Abe Getchell wrote:
>>>>> Hey Adriel,
>>>>>
>>>>> The title and opening paragraph of your blog post are quite
>>>>> misleading and
>>>>> rather reckless. There is definitely a false sense of security
>>>>> that is sold
>>>>> to some organizations by the developers of vulnerability scanning
>>>>> tools, but
>>>>> that is the fault of the purchasing organization (due to a lack of
>>>>> education
>>>>> and unqualified individuals making decisions), not those companies
>>>>> pushing
>>>>> their product. It's a consumer problem, not a technology or
>>>>> process problem,
>>>>> which you seem to describe it as in the bulk of your blog post.
>>>>> Vulnerability scanning tools can have a wonderfully awesome impact
>>>>> on your
>>>>> security posture if they're used in a manner in which they
>>>>> function
>>>>> adequately; as a compliance tool. While I understand the sales
>>>>> aspect of
>>>>> your blog post, what your customers (and any other organization
>>>>> investigating this type of technology) should understand is that
>>>>> they should
>>>>> not be "using a team of talented hackers for security testing
>>>>> instead of
>>>>> relying on automated vulnerability scanners", but rather "using a
>>>>> team of
>>>>> talented hackers AND vulnerability scanners for security testing
>>>>> and
>>>>> compliance".
>>>>>
>>>>> See ya,
>>>>> Abe
>>>>>
>>>>
>>>> I agree.
>>>> IMHO, a pen-testers team is a must-use for any penetration testing
>>>> scenario; they should be experienced people and the matter if they
>>>> use
>>>> vuln scanners or not, is of their choice.
>>>> I see over and over (even in this list) post such as:
>>>> "I'm doing a penetration test against a company. After running
>>>> Acunetix,
>>>> it show reports of x sql injection vulnerabilities. How can I probe
>>>> my
>>>> customer this is a high risk vuln? (...)"
>>>> What company could trust their security to such case?
>>>> I think no-one with a little of common sense.
>>>> Vuln scanners are useful, but as I said, as with most tools, the
>>>> human
>>>> knowledge is the real factor. When you combine both they you get
>>>> pen-test.
>>>>
>>>> Honestly.
>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.6 (GNU/Linux)
>>>>
>>>> iD8DBQFJZj/iH+KgkfcIQ8cRAusCAJ97dUxaYh0EVIr1b6x8CP3iBT8JUwCfTc3O
>>>> gwCsn8ac113S5HT8eGP1S0U=
>>>> =e2nz
>>>> -----END PGP SIGNATURE-----
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Daniel Regalado aka NeZa
>>> Hacker Wanna Be from Nezahualcoyotl
>>>
>>> www.macula-group.com
>>>
>>>
>>
>>
>>
>> Adriel T. Desautels
>> ad_lists_at_netragard.com
>> --------------------------------------
>>
>> Subscribe to our blog
>> http://snosoft.blogspot.com
>>
>>
>>
>>
>
>
>
>>
>> No virus found in this incoming message.
>> Checked by AVG - http://www.avg.com
>> Version: 8.0.176 / Virus Database: 270.10.5/1886 - Release Date:
>> 1/10/2009 6:01 PM
>
> No virus found in this outgoing message.
> Checked by AVG - http://www.avg.com
> Version: 8.0.176 / Virus Database: 270.10.6/1888 - Release Date:
> 1/12/2009 7:04 AM

        Adriel T. Desautels
        ad_lists_at_netragard.com
         --------------------------------------

        Subscribe to our blog
         http://snosoft.blogspot.com
Received on Jan 13 2009

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]