|
Penetration Testing
mailing list archives
Re: nessus exceptions
From: H Carvey <keydet89 () yahoo com>
Date: 5 Aug 2004 17:27:49 -0000
In-Reply-To: <20040803210137.GF4161 () bozorky foofus net>
This plan has a flaw: what if they don't detect the holes? It gives
you no information about whether or not they use anything besides
Nessus; it only tells you that they didn't detect the hole.
A better plan might be to ask them which portions of their output
came from tools other than Nessus.
I like Foofus's approach. I've been involved with far too many audits and assessments (from both sides), where this
technical approach to foiling or fooling the auditor ends up blowing up in your face.
If you're concerned about the tools that are used, sit down with the testing company and ask them. They should tell
you.
Are you concerned that the testing company is using only one tool? Tools like this are only as good as the person who
uses them. Do the testers understand the NASL scripts? Have they written their own custom scripts? If so, have any
of these scripts been released back to the community (so that you can verify it)? Having a clueless operator run ISS
and Nessus, rather than just one, really doesn't give you much.
 By Date 
By Thread
Current thread:
- Re: nessus exceptions, (continued)
| 
Intro
