Security Basics mailing list archives
Re: Vulnerability Scanning Doesn't Work
From: krymson () gmail com
Date: 13 Jan 2009 17:13:51 -0000
Mr. Desautels, The impression I get is that you blanket despise any automated testing? Maybe I'm wrong in that impression, but that seems like a dangerously narrow view. Are there any pen-testers who do not use any automation at all? Further, let's say a good pen-tester does her testing manually and uses a good methodology and gives a certain deliverable. Almost certainly she will re-use that same deliverable template for another client, just like using the same methodology. Isn't one of the points of re-using consistent methodologies so you don't have to reinvent the whole test over again the next time? It would follow that as she does more assessments, she will automate various pieces so that her time commitment lessens on those pieces, resulting in better returns or more time spent elsewhere. Continue down this path long enough, and you have... automation, which you despise. I'm confused...maybe we must do it the hard way? To me, that seems to be the common opinion of people who despise 'script kiddies' when in fact they may be more efficient than someone sticking to their manual tools? I'm not saying automation should replace human pen-testers; absolutely not! But take care to include both and not just despise one because it may be below you or easy or less accurate. Your real argument is with people who accept those automated reports as religion...and I don't think you'll find any of those people on this list or in your audience. Don't shoot automated testing just because some people use only them for their checklist security. Cheers! <- snip -> Never the less automated scanning doesn't produce an accurate deliverable. That is in fact impossible. Manual testing can produce a very accurate deliverable if its done right with the right methodology. Hence my gripe with any security provider that offers services whose products are the direct result of automated testing.
Current thread:
- Revising it [Vulnerability Scanning Doesn't Work], (continued)
- Message not available
- Revising it [Vulnerability Scanning Doesn't Work] Adriel T. Desautels (Jan 08)
- RE: Revising it [Vulnerability Scanning Doesn't Work] Siedelberg, Mike (Jan 12)
- Re: Revising it [Vulnerability Scanning Doesn't Work] Adriel T. Desautels (Jan 12)
- Message not available
- Message not available
- Re: Vulnerability Scanning Doesn't Work NeZa (Jan 09)
- Re: Vulnerability Scanning Doesn't Work Adriel T. Desautels (Jan 09)
- Re: Vulnerability Scanning Doesn't Work Adriel T. Desautels (Jan 12)
- Message not available
- Re: Vulnerability Scanning Doesn't Work Adriel T. Desautels (Jan 13)
- Re: Vulnerability Scanning Doesn't Work NeZa (Jan 14)
- Re: Vulnerability Scanning Doesn't Work Rob Thompson (Jan 14)
- Re: Vulnerability Scanning Doesn't Work Brian Ford (Jan 15)