Re: Vulnerability Scanning Doesn't Work

[NeZa <danuxx () gmail com>]

I will based my comments on Web Application Vulnerability Scanners....

The main thing is related to Automated and Manual (which i called
Educated) Testing.

Even if you have a talented team of hackers you need to use some
Automated effort, because, lets suppose you have some good XSS, XSRF,
SQL  attack strings to inject but you can not do it manually against
hundreds or thousands of GET/POST right?
You need to automate, so definitely in order to have the best results
you need to use a combination between Vulnerability Scanner (automated
effort) and telented hackers (educated testing).

"Educated Testing starts when Automated Scanning finish" because there
are things a machine can not see.

My 2 cents.

On Thu, Jan 8, 2009 at 12:03 PM, ArcSighter Elite <arcsighter () gmail com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Abe Getchell wrote:
> > Hey Adriel,
> >
> > The title and opening paragraph of your blog post are quite misleading and
> > rather reckless. There is definitely a false sense of security that is sold
> > to some organizations by the developers of vulnerability scanning tools, but
> > that is the fault of the purchasing organization (due to a lack of education
> > and unqualified individuals making decisions), not those companies pushing
> > their product. It's a consumer problem, not a technology or process problem,
> > which you seem to describe it as in the bulk of your blog post.
> > Vulnerability scanning tools can have a wonderfully awesome impact on your
> > security posture if they're used in a manner in which they function
> > adequately; as a compliance tool. While I understand the sales aspect of
> > your blog post, what your customers (and any other organization
> > investigating this type of technology) should understand is that they should
> > not be "using a team of talented hackers for security testing instead of
> > relying on automated vulnerability scanners", but rather "using a team of
> > talented hackers AND vulnerability scanners for security testing and
> > compliance".
> >
> > See ya,
> > Abe
>
> I agree.
> IMHO, a pen-testers team is a must-use for any penetration testing
> scenario; they should be experienced people and the matter if they use
> vuln scanners or not, is of their choice.
> I see over and over (even in this list) post such as:
> "I'm doing a penetration test against a company. After running Acunetix,
> it show reports of x sql injection vulnerabilities. How can I probe my
> customer this is a high risk vuln? (...)"
> What company could trust their security to such case?
> I think no-one with a little of common sense.
> Vuln scanners are useful, but as I said, as with most tools, the human
> knowledge is the real factor. When you combine both they you get pen-test.
>
> Honestly.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFJZj/iH+KgkfcIQ8cRAusCAJ97dUxaYh0EVIr1b6x8CP3iBT8JUwCfTc3O
> gwCsn8ac113S5HT8eGP1S0U=
> =e2nz
> -----END PGP SIGNATURE-----



-- 
Daniel Regalado aka NeZa
Hacker Wanna Be from Nezahualcoyotl

www.macula-group.com