Re: Vulnerability Scanning Doesn't Work

["Michael Condon" <admin () singulartechnologysolutions com>]

I'm not sure what the beef is here. All automated tools only get you only 
as
far as their inherent limitations. And most seem to come to different
conclusions.
A skilled manual pen tester can do some/all/maybe more than an automated
tool, but will probably wrap his/her methodology - into their own automated
tool.
I agree with NeZa, it's best to act further based on the results of an
automated tool - whether it's your own or someone else's. But no matter how
far you go, you're still always one move ahead or behind a moving target.
It's software. I don't like the laws of probability or the effects of
gravity and weather either.

> --------------------------------------------------
> From: "Adriel T. Desautels" <ad_lists () netragard com>
> Sent: Sunday, January 11, 2009 3:13 PM
> To: "NeZa" <danuxx () gmail com>
> Cc: "ArcSighter Elite" <arcsighter () gmail com>; <me () abegetchell com>; 
> "pen-test list" <pen-test () securityfocus com>; "Security Basics" 
> <security-basics () securityfocus com>
> Subject: Re: Vulnerability Scanning Doesn't Work
>
> > NeZa,
> > Its possible to assess the security of an application without
> > automation while being much more through than an automated tool.  Its
> > also very time consuming and expensive though.
> > On Jan 9, 2009, at 2:15 PM, NeZa wrote:
> >
> > > I will based my comments on Web Application Vulnerability Scanners....
> > >
> > > The main thing is related to Automated and Manual (which i called
> > > Educated) Testing.
> > >
> > > Even if you have a talented team of hackers you need to use some
> > > Automated effort, because, lets suppose you have some good XSS, XSRF,
> > > SQL  attack strings to inject but you can not do it manually against
> > > hundreds or thousands of GET/POST right?
> > > You need to automate, so definitely in order to have the best results
> > > you need to use a combination between Vulnerability Scanner (automated
> > > effort) and telented hackers (educated testing).
> > >
> > > "Educated Testing starts when Automated Scanning finish" because there
> > > are things a machine can not see.
> > >
> > > My 2 cents.
> > >
> > > On Thu, Jan 8, 2009 at 12:03 PM, ArcSighter Elite <arcsighter () gmail com
> > > > wrote:
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > >
> > > > Abe Getchell wrote:
> > > > > Hey Adriel,
> > > > >
> > > > > The title and opening paragraph of your blog post are quite
> > > > > misleading and
> > > > > rather reckless. There is definitely a false sense of security
> > > > > that is sold
> > > > > to some organizations by the developers of vulnerability scanning
> > > > > tools, but
> > > > > that is the fault of the purchasing organization (due to a lack of
> > > > > education
> > > > > and unqualified individuals making decisions), not those companies
> > > > > pushing
> > > > > their product. It's a consumer problem, not a technology or
> > > > > process problem,
> > > > > which you seem to describe it as in the bulk of your blog post.
> > > > > Vulnerability scanning tools can have a wonderfully awesome impact
> > > > > on your
> > > > > security posture if they're used in a manner in which they function
> > > > > adequately; as a compliance tool. While I understand the sales
> > > > > aspect of
> > > > > your blog post, what your customers (and any other organization
> > > > > investigating this type of technology) should understand is that
> > > > > they should
> > > > > not be "using a team of talented hackers for security testing
> > > > > instead of
> > > > > relying on automated vulnerability scanners", but rather "using a
> > > > > team of
> > > > > talented hackers AND vulnerability scanners for security testing and
> > > > > compliance".
> > > > >
> > > > > See ya,
> > > > > Abe
> > > >
> > > > I agree.
> > > > IMHO, a pen-testers team is a must-use for any penetration testing
> > > > scenario; they should be experienced people and the matter if they
> > > > use
> > > > vuln scanners or not, is of their choice.
> > > > I see over and over (even in this list) post such as:
> > > > "I'm doing a penetration test against a company. After running
> > > > Acunetix,
> > > > it show reports of x sql injection vulnerabilities. How can I probe
> > > > my
> > > > customer this is a high risk vuln? (...)"
> > > > What company could trust their security to such case?
> > > > I think no-one with a little of common sense.
> > > > Vuln scanners are useful, but as I said, as with most tools, the
> > > > human
> > > > knowledge is the real factor. When you combine both they you get
> > > > pen-test.
> > > >
> > > > Honestly.
> > > >
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: GnuPG v1.4.6 (GNU/Linux)
> > > >
> > > > iD8DBQFJZj/iH+KgkfcIQ8cRAusCAJ97dUxaYh0EVIr1b6x8CP3iBT8JUwCfTc3O
> > > > gwCsn8ac113S5HT8eGP1S0U=
> > > > =e2nz
> > > > -----END PGP SIGNATURE-----
> > >
> > >
> > >
> > > --
> > > Daniel Regalado aka NeZa
> > > Hacker Wanna Be from Nezahualcoyotl
> > >
> > > www.macula-group.com
> >
> >
> >
> > Adriel T. Desautels
> > ad_lists () netragard com
> >         --------------------------------------
> >
> > Subscribe to our blog
> >         http://snosoft.blogspot.com
>
>
>
> > No virus found in this incoming message.
> > Checked by AVG - http://www.avg.com
> > Version: 8.0.176 / Virus Database: 270.10.5/1886 - Release Date: 
> > 1/10/2009 6:01 PM