RE: Revising it [Vulnerability Scanning Doesn't Work]

["Siedelberg, Mike" <mike.siedelberg () us pgds com>]

Hey man, don't you worry, this was a great post that resulted in a good
discussion which in turn brought up a lot of valid points.  There is
something about the idea that you are advertising your blog or promoting
your company that has some merit, but I never took your post to be that.


Probably a bad idea to use automatic posting to the list though.
Disabling that feature and providing a link seems acceptable.  When I
saw that part, I knew right away it would get negative response.

While your post may not be pertinent to everyone, as we share different
interests, no one is forcing anyone to visit that link.  I would rather
just exercise my delete key than miss such a good discussion.  There is
a huge volume of spam and such these days, people might be just a little
bit sensitive.  


Here's the original message:

Greetings all. I've finished another entry on our blog. This time the
entry was about why vulnerability scanners do not work. It goes into a
little bit of detail and is intended for the average reader. My goal was
to help to educate people about what vulnerability scanning really is.

For the record, I did add the email address of this list to my blogger
so that entries are automatically posted to this list. If anyone is
against me doing that, or if that is a violation of the list policy then
please let me know and I'll stick with this method of letting people
know.  (I'm not sure if it worked hence why I'm writing this email).

Anyway, here's the latest entry:

http://snosoft.blogspot.com/2009/01/vulnerability-scanning-doesnt-work.h
tml

As always, comments are more than welcome.



I can't find anything objectionable with this aside from that automatic
posting bit.  Look at it like this, the members of this list are on here
to post and read.  Blogs are not members of the list and should not be
allowed to automatically post.  It's kind of you to want to help, but
provide the reference link and let folks make up their own mind whether
to visit the link (or not).

Anyway, keep up the good work, very much appreciated.  Let's move on...




G Mike Siedelberg
IT Security Senior Staff
Prudential Global Data Services
Desk Phone:  517-367-3546  Cell:  517-230-0922

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Adriel T. Desautels
Sent: Thursday, January 08, 2009 1:54 PM
To: ArcSighter Elite
Cc: me () abegetchell com; 'pen-test list'; 'Security Basics'
Subject: Revising it [Vulnerability Scanning Doesn't Work]

To all of you who have commented:

My last entry/article received a lot of input from a lot of different
people. Some of the people were emotional, insulting and just not
constructive but yet still amusing. Others were highly constructive and
offered their perspective on what it was that I published. My goal with
the blog is to make it an informational resource that is accurate and
truthful.  As such, I am going to make a few more modifications to the
entry as to accommodate some things that I left out.

Would the readers of this list rather that I post the entire blog entry
to the list? Would the rather that I post a link? Or would they rather
that I just not post here at all?  I've set up a poll on the blog if
you're interested in participating. The last thing that I want to do is
to force my views down anyone's throats.

Anyway, thank you again for the comments, I'm trying to keep it real.



On Jan 8, 2009, at 1:03 PM, ArcSighter Elite wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Abe Getchell wrote:
> > Hey Adriel,
> >
> > The title and opening paragraph of your blog post are quite 
> > misleading and rather reckless. There is definitely a false sense of 
> > security that is sold to some organizations by the developers of 
> > vulnerability scanning tools, but that is the fault of the purchasing

> > organization (due to a lack of education and unqualified individuals 
> > making decisions), not those companies pushing their product. It's a 
> > consumer problem, not a technology or process problem, which you seem

> > to describe it as in the bulk of your blog post.
> > Vulnerability scanning tools can have a wonderfully awesome impact on

> > your security posture if they're used in a manner in which they 
> > function adequately; as a compliance tool. While I understand the 
> > sales aspect of your blog post, what your customers (and any other 
> > organization investigating this type of technology) should understand

> > is that they should not be "using a team of talented hackers for 
> > security testing instead of relying on automated vulnerability 
> > scanners", but rather "using a team of talented hackers AND 
> > vulnerability scanners for security testing and compliance".
> >
> > See ya,
> > Abe
>
> I agree.
> IMHO, a pen-testers team is a must-use for any penetration testing 
> scenario; they should be experienced people and the matter if they use

> vuln scanners or not, is of their choice.
> I see over and over (even in this list) post such as:
> "I'm doing a penetration test against a company. After running 
> Acunetix, it show reports of x sql injection vulnerabilities. How can 
> I probe my customer this is a high risk vuln? (...)"
> What company could trust their security to such case?
> I think no-one with a little of common sense.
> Vuln scanners are useful, but as I said, as with most tools, the human

> knowledge is the real factor. When you combine both they you get pen- 
> test.
>
> Honestly.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFJZj/iH+KgkfcIQ8cRAusCAJ97dUxaYh0EVIr1b6x8CP3iBT8JUwCfTc3O
> gwCsn8ac113S5HT8eGP1S0U=
> =e2nz
> -----END PGP SIGNATURE-----



        Adriel T. Desautels
        ad_lists () netragard com
         --------------------------------------

        Subscribe to our blog
         http://snosoft.blogspot.com