Security Basics mailing list archives
Re: Vulnerability Scanning Doesn't Work
From: Brian Ford <brford () cisco com>
Date: Thu, 15 Jan 2009 11:15:01 -0500
Adriel, You can take what I wrote as you will. I did not intend to discredit you or what you had written. Let me call attention to what you just wrote to me:
My opinion is based on facts and years and years of experience, what's yours based on?
The only issue I raised was that what you wrote was your opinion. The Security Basics list is a forum for people to ask questions, exchange ideas, and learn about security technologies. Your comments are about all scanners. You didn't call out specific tools and specific instances. You made some interesting points. But those points represent your opinions. To the best of my knowledge my employer does not sell a vulnerability scanning technology. Liberty, Brian On 1/15/09 10:56 AM, "Adriel T. Desautels" <ad_lists () netragard com> wrote:
Brian, You are incorrect, my first paragraph reads what I intended for it to read. With respect to your comment, I feel that it is an attempt to discredit what I've written. If you disagree with anything that I've said and can provide a factual argument as to why I am wrong then I will change what I've written. If you can only attack what I've written by stating that its a matter of opinion, then its your opinion vs my opinion. My opinion is based on facts and years and years of experience, what's yours based on? Doesn't Cisco also sell Vulnerability Scanning technology? If you 'd like for me to test its effectiveness against a real world scenario then I'd be more than happy to. I promise that my findings will be truthful and factual and you can hold my feet to that. Let me know the offer is serious and it stands... On Jan 15, 2009, at 7:32 AM, Brian Ford wrote:Adriel & List; I believe the first paragraph of Adriel's previous post should read: "Let me clear it up for you. IN MY OPINION automated tools, like vulnerability scanners, are great when used properly and responsibly..." Please don't forget that one of the purposes of this list is to share information, opinions and beliefs on the state of security. I have noted that Adriel has expressed a number of strong opinions on list recently. That's great in that encourages discussion. Not everyone has to agree or challenge those views. But lets remember that they are opinions. Liberty, Brian On 1/12/09 10:47 PM, "Adriel T. Desautels" <ad_lists () netragard com> wrote:Michael, Let me clear it up for you. Automated tools, like vulnerability scanners, are great when used properly and responsibly. They save time and energy by finding low hanging fruit. Thats where it ends. Many vendors produce deliverables that are the product (direct or indirect) of automated tools. Those products are not only poor quality but usually have no to minimal human talent involved. In my opinion those businesses are providing a disservice and selling their customers a false sense of security. What is the customer paying for anyway? Are they paying you to click a button and run a scan, or are they paying you for your security expertise? In too many cases security providers call themselves experts but all they do is click that scan button. The unfortunate truth is that this has become the norm and their customers don't even know it. The fraudulent security providers are in fact taking advantage of their customers. That's my beef. And so what if the customer requests that service? The provider is supposed to be the expert. Educate the customer about what real security testing is. Don't be a vulture and take their money because its easy, actually help them protect their assets. Anyone that knows a thing or two should know why automated scanners just don't cut it. Its like I said before, automated vulnerability scanners can not protect you from hackers. If you think that they can, then you just don't know what you are doing. :) On Jan 12, 2009, at 10:04 PM, Michael Condon wrote:I'm not sure what the beef is here. All automated tools only get you only as far as their inherent limitations. And most seem to come to different conclusions. A skilled manual pen tester can do some/all/maybe more than an automated tool, but will probably wrap his/her methodology - into their own automated tool. I agree with NeZa, it's best to act further based on the results of an automated tool - whether it's your own or someone else's. But no matter how far you go, you're still always one move ahead or behind a moving target. It's software. I don't like the laws of probability or the effects of gravity and weather either. -------------------------------------------------- From: "Adriel T. Desautels" <ad_lists () netragard com> Sent: Sunday, January 11, 2009 3:13 PM To: "NeZa" <danuxx () gmail com> Cc: "ArcSighter Elite" <arcsighter () gmail com>; <me () abegetchell com>; "pen-test list" <pen-test () securityfocus com>; "Security Basics" <security-basics () securityfocus comSubject: Re: Vulnerability Scanning Doesn't WorkNeZa, Its possible to assess the security of an application without automation while being much more through than an automated tool. Its also very time consuming and expensive though. On Jan 9, 2009, at 2:15 PM, NeZa wrote:I will based my comments on Web Application Vulnerability Scanners.... The main thing is related to Automated and Manual (which i called Educated) Testing. Even if you have a talented team of hackers you need to use some Automated effort, because, lets suppose you have some good XSS, XSRF, SQL attack strings to inject but you can not do it manually against hundreds or thousands of GET/POST right? You need to automate, so definitely in order to have the best results you need to use a combination between Vulnerability Scanner (automated effort) and telented hackers (educated testing). "Educated Testing starts when Automated Scanning finish" because there are things a machine can not see. My 2 cents. On Thu, Jan 8, 2009 at 12:03 PM, ArcSighter Elite <arcsighter () gmail comwrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Abe Getchell wrote:Hey Adriel, The title and opening paragraph of your blog post are quite misleading and rather reckless. There is definitely a false sense of security that is sold to some organizations by the developers of vulnerability scanning tools, but that is the fault of the purchasing organization (due to a lack of education and unqualified individuals making decisions), not those companies pushing their product. It's a consumer problem, not a technology or process problem, which you seem to describe it as in the bulk of your blog post. Vulnerability scanning tools can have a wonderfully awesome impact on your security posture if they're used in a manner in which they function adequately; as a compliance tool. While I understand the sales aspect of your blog post, what your customers (and any other organization investigating this type of technology) should understand is that they should not be "using a team of talented hackers for security testing instead of relying on automated vulnerability scanners", but rather "using a team of talented hackers AND vulnerability scanners for security testing and compliance". See ya, AbeI agree. IMHO, a pen-testers team is a must-use for any penetration testing scenario; they should be experienced people and the matter if they use vuln scanners or not, is of their choice. I see over and over (even in this list) post such as: "I'm doing a penetration test against a company. After running Acunetix, it show reports of x sql injection vulnerabilities. How can I probe my customer this is a high risk vuln? (...)" What company could trust their security to such case? I think no-one with a little of common sense. Vuln scanners are useful, but as I said, as with most tools, the human knowledge is the real factor. When you combine both they you get pen-test. Honestly. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJZj/iH+KgkfcIQ8cRAusCAJ97dUxaYh0EVIr1b6x8CP3iBT8JUwCfTc3O gwCsn8ac113S5HT8eGP1S0U= =e2nz -----END PGP SIGNATURE------- Daniel Regalado aka NeZa Hacker Wanna Be from Nezahualcoyotl www.macula-group.comAdriel T. Desautels ad_lists () netragard com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.comNo virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.176 / Virus Database: 270.10.5/1886 - Release Date: 1/10/2009 6:01 PMNo virus found in this outgoing message. Checked by AVG - http://www.avg.com Version: 8.0.176 / Virus Database: 270.10.6/1888 - Release Date: 1/12/2009 7:04 AMAdriel T. Desautels ad_lists () netragard com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.comAdriel T. Desautels ad_lists () netragard com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com
Current thread:
- Re: Revising it [Vulnerability Scanning Doesn't Work], (continued)
- Re: Revising it [Vulnerability Scanning Doesn't Work] Adriel T. Desautels (Jan 12)
- Message not available
- Re: Vulnerability Scanning Doesn't Work NeZa (Jan 09)
- Re: Vulnerability Scanning Doesn't Work Adriel T. Desautels (Jan 09)
- Re: Vulnerability Scanning Doesn't Work Adriel T. Desautels (Jan 12)
- Message not available
- Re: Vulnerability Scanning Doesn't Work Adriel T. Desautels (Jan 13)
- Re: Vulnerability Scanning Doesn't Work NeZa (Jan 14)
- Re: Vulnerability Scanning Doesn't Work Rob Thompson (Jan 14)
- Re: Vulnerability Scanning Doesn't Work Brian Ford (Jan 15)