Security Basics: Re: Vulnerability Scanning Doesn't Work

[ArcSighter Elite <arcsighter () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Abe Getchell wrote:
> Hey Adriel,
>
> The title and opening paragraph of your blog post are quite misleading and
> rather reckless. There is definitely a false sense of security that is sold
> to some organizations by the developers of vulnerability scanning tools, but
> that is the fault of the purchasing organization (due to a lack of education
> and unqualified individuals making decisions), not those companies pushing
> their product. It's a consumer problem, not a technology or process problem,
> which you seem to describe it as in the bulk of your blog post.
> Vulnerability scanning tools can have a wonderfully awesome impact on your
> security posture if they're used in a manner in which they function
> adequately; as a compliance tool. While I understand the sales aspect of
> your blog post, what your customers (and any other organization
> investigating this type of technology) should understand is that they should
> not be "using a team of talented hackers for security testing instead of
> relying on automated vulnerability scanners", but rather "using a team of
> talented hackers AND vulnerability scanners for security testing and
> compliance".
>
> See ya,
> Abe
I agree.
IMHO, a pen-testers team is a must-use for any penetration testing
scenario; they should be experienced people and the matter if they use
vuln scanners or not, is of their choice.

Vuln scanners are useful, but as I said, as with most tools, the human
knowledge is the real factor. When you combine both they you get pen-test.

Honestly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJZkROH+KgkfcIQ8cRAr25AJ9cIgT37o8Vgmmn2xsfYkK7cTcYQACdEqxz
a2JUdNkvPb67lHMpMAIsnD8=
=baKp
-----END PGP SIGNATURE-----