Security Basics: Revising it [Vulnerability Scanning Doesn't Work]

["Adriel T. Desautels" <ad_lists () netragard com>]

To all of you who have commented:

My last entry/article received a lot of input from a lot of different  
people. Some of the people were emotional, insulting and just not  
constructive but yet still amusing. Others were highly constructive  
and offered their perspective on what it was that I published. My goal  
with the blog is to make it an informational resource that is accurate  
and truthful.  As such, I am going to make a few more modifications to  
the entry as to accommodate some things that I left out.
Would the readers of this list rather that I post the entire blog  
entry to the list? Would the rather that I post a link? Or would they  
rather that I just not post here at all?  I've set up a poll on the  
blog if you're interested in participating. The last thing that I want  
to do is to force my views down anyone's throats.
Anyway, thank you again for the comments, I'm trying to keep it real.



On Jan 8, 2009, at 1:03 PM, ArcSighter Elite wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Abe Getchell wrote:
> > Hey Adriel,
> >
> > The title and opening paragraph of your blog post are quite  
> > misleading and
> > rather reckless. There is definitely a false sense of security that  
> > is sold
> > to some organizations by the developers of vulnerability scanning  
> > tools, but
> > that is the fault of the purchasing organization (due to a lack of  
> > education
> > and unqualified individuals making decisions), not those companies  
> > pushing
> > their product. It's a consumer problem, not a technology or process  
> > problem,
> > which you seem to describe it as in the bulk of your blog post.
> > Vulnerability scanning tools can have a wonderfully awesome impact  
> > on your
> > security posture if they're used in a manner in which they function
> > adequately; as a compliance tool. While I understand the sales  
> > aspect of
> > your blog post, what your customers (and any other organization
> > investigating this type of technology) should understand is that  
> > they should
> > not be "using a team of talented hackers for security testing  
> > instead of
> > relying on automated vulnerability scanners", but rather "using a  
> > team of
> > talented hackers AND vulnerability scanners for security testing and
> > compliance".
> >
> > See ya,
> > Abe
> I agree.
> IMHO, a pen-testers team is a must-use for any penetration testing
> scenario; they should be experienced people and the matter if they use
> vuln scanners or not, is of their choice.
> I see over and over (even in this list) post such as:
> "I'm doing a penetration test against a company. After running  
> Acunetix,
> it show reports of x sql injection vulnerabilities. How can I probe my
> customer this is a high risk vuln? (...)"
> What company could trust their security to such case?
> I think no-one with a little of common sense.
> Vuln scanners are useful, but as I said, as with most tools, the human
> knowledge is the real factor. When you combine both they you get pen- 
> test.
> Honestly.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFJZj/iH+KgkfcIQ8cRAusCAJ97dUxaYh0EVIr1b6x8CP3iBT8JUwCfTc3O
> gwCsn8ac113S5HT8eGP1S0U=
> =e2nz
> -----END PGP SIGNATURE-----


        Adriel T. Desautels
        ad_lists () netragard com
        --------------------------------------

        Subscribe to our blog
        http://snosoft.blogspot.com