RE: Last post.. please, this thread is killing me =)

[robert () dyadsecurity com]

Julio Patel(smerdyakovv () gmail com)@Tue, Nov 30, 2004 at 08:42:47AM -0500:
> Sure, but not every network-based test requires actual exploit code. 
> I took issue with the two extremes being presented (with respect to
> scanning).  The reality of scanning effectiveness (local, remote, or
> hybrid) falls somewhere between "works all the time" (Ira) and "is
> useless" (Robert).

It depends on what you're trying to deliver.  If you're just trying to identify potential problem areas, then it may be 
sufficient to say "based on the version information, we believe this may be vulnerable".  In our testing we try very 
hard to have at least 66% of the problems we report be verified issues.  It helps us with the Risk Assessment Values we 
calculate to go along with the findings.  Otherwise you're dealing with pure speculation.

Imagine you went to the doctor and something in the test came out funny and he reports:
Well, it looks like you have AIDS, Syphilis, Cancer, an ingrown toenail, and bone decay.

What if the only one he actually verified was the ingrown toenail, and he simply had incomplete tests for the other 
ailments on the report?  What I was saying before is simply looking at version information alone is insufficient to 
determine susceptibility to a problem.

What happens when you use the current tools, like nessus, iss, retina, etc.. is you get a really big list of things to 
follow up on.  Some of it's good, most of it's crap.  Problem is you won't know which is which until you go through all 
of it.

These tools can be built more intelligently.  We're working on doing just that.

> you completely missed what I was saying, but that's allright since
> you've seen fit to give me an honourary degree.  I'm not for either
> extreme...my ideal model would probably lie somewhere in between
> (relative to me and different for each situation).

When you're performing your own tests at your own company (take my consulting business model out of the equation for a 
moment), it's not sufficient to merely look at the results of an automated tool.  The tool is wrong a lot of the time.  
It misses things.  It says things are broken when they're not.  It is really helpful from a security perspective to be 
able to measure for yourself if you are really vulnerable or not.  You can not turn off your brain in exchange for a 
pretty tool.  This is what many companies are being told to do.  This is what many "security testing" companies are 
doing.

Oh, and when we meet up at Black Hat, or defcon or whatever .. I'd like to introduce you to Jack.  I think if you met 
him you'd laugh about that sales "fluff" comment.

Btw, seriously, what's up with the whole Julio thing? =).

Don Juan

-- 
Don Juan
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - don_juan () dyadsecurity com
M - (949) 394-2033
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave