Dailydave mailing list archives
RE: Last post.. please, this thread is killing me =)
From: robert () dyadsecurity com
Date: Tue, 30 Nov 2004 08:18:40 -0800
Julio Patel(smerdyakovv () gmail com)@Tue, Nov 30, 2004 at 08:42:47AM -0500:
Sure, but not every network-based test requires actual exploit code. I took issue with the two extremes being presented (with respect to scanning). The reality of scanning effectiveness (local, remote, or hybrid) falls somewhere between "works all the time" (Ira) and "is useless" (Robert).
It depends on what you're trying to deliver. If you're just trying to identify potential problem areas, then it may be sufficient to say "based on the version information, we believe this may be vulnerable". In our testing we try very hard to have at least 66% of the problems we report be verified issues. It helps us with the Risk Assessment Values we calculate to go along with the findings. Otherwise you're dealing with pure speculation. Imagine you went to the doctor and something in the test came out funny and he reports: Well, it looks like you have AIDS, Syphilis, Cancer, an ingrown toenail, and bone decay. What if the only one he actually verified was the ingrown toenail, and he simply had incomplete tests for the other ailments on the report? What I was saying before is simply looking at version information alone is insufficient to determine susceptibility to a problem. What happens when you use the current tools, like nessus, iss, retina, etc.. is you get a really big list of things to follow up on. Some of it's good, most of it's crap. Problem is you won't know which is which until you go through all of it. These tools can be built more intelligently. We're working on doing just that.
you completely missed what I was saying, but that's allright since you've seen fit to give me an honourary degree. I'm not for either extreme...my ideal model would probably lie somewhere in between (relative to me and different for each situation).
When you're performing your own tests at your own company (take my consulting business model out of the equation for a moment), it's not sufficient to merely look at the results of an automated tool. The tool is wrong a lot of the time. It misses things. It says things are broken when they're not. It is really helpful from a security perspective to be able to measure for yourself if you are really vulnerable or not. You can not turn off your brain in exchange for a pretty tool. This is what many companies are being told to do. This is what many "security testing" companies are doing. Oh, and when we meet up at Black Hat, or defcon or whatever .. I'd like to introduce you to Jack. I think if you met him you'd laugh about that sales "fluff" comment. Btw, seriously, what's up with the whole Julio thing? =). Don Juan -- Don Juan CTO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - don_juan () dyadsecurity com M - (949) 394-2033 _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- RE: This mornings Security Wire Perspectives - Ira's proof of concept code article., (continued)
- Message not available
- RE: This mornings Security Wire Perspectives - Ira's proof of concept code article. robert (Nov 29)
- Re: This mornings Security Wire Perspectives - Ira's proof of concept code article. Julio Patel (Nov 29)
- Mandatory Access Control (Was: Re: RE: This mornings Security Wire Perspectives - Ira's proof of concept code article.) Peter Busser (Dec 03)
- Re: Mandatory Access Control robert (Dec 03)
- Message not available
- Message not available
- RE: This mornings Security Wire Perspectives - Ira's proof of concept code article. robert (Nov 29)
- Re: This mornings Security Wire Perspectives - Ira's proof of concept code article. Julio Patel (Nov 29)
- Re: This mornings Security Wire Perspectives - Ira's proof of concept code article. robert (Nov 29)
- Re: Re: This mornings Security Wire Perspectives - Ira's proof of concept code article. Julio Patel (Nov 29)
- Re: Re: This mornings Security Wire Perspectives - Ira's proof of concept code article. pete (Nov 30)
- Re: Re: This mornings Security Wire Perspectives - Ira's proof of concept code article. Julio Patel (Nov 30)
- RE: Last post.. please, this thread is killing me =) robert (Nov 30)
- Re: RE: Last post.. please, this thread is killing me =) Matt Hargett (Nov 30)