Oh come on, you know the answer to that. Because things break. Same
reason people don't run WAFs in prevent mode, same reason IPS isn't more
popular. Source/binary tools could patch automatically, in theory, but
in order to measure whether it broke something, you have to have an
extremely robust regression suite.
Network scanners applying patches for known vulns... don't some products
do that already, integrating with patch management tools and whatnot?
> I've always wondered about the rest of our technology that
> fails in a similar way. Why do our application assessment
> tools not also fix the bugs they find? If you're trying to
> buy web application scanning, then your scanner should also
> be updating the application to fix those pesky SQL Injection
> bugs. Your binary/source analysis tool should be svn
> commiting patches to fix your overflows. If you have to rely
> on a developer to understand the bugs themselves, it doesn't
> scale. Your network attack tool should upload and run the
> right patch automatically.[1] Does the modern generation of
> scanners do this?
>
> - -dave
> [1] Obviously you can upload a management program like
> BindView instead,
> but this means you have to MANAGE everything, which doesn't scale.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFIZ70etehAhL0gheoRAv/ZAJ9KjggIYf8ch5Hnw5Blajlg5U4+6gCZAVwk
> WB9QwhyVDqiGFA182Oso9m4=
> =nHWH
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave_at_lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Received on Jun 29 2008
Intro
