RE: concerning ~el8 / project mayhem

[jankowsr () mskcc org]

Hiya Paul, 

> While I am indeed advocating good design, I'm not against 
> validation, I'm 
> against vulnerability scanning- that, I think is our point of 
> difference 
> (or maybe I just didn't articulate it well.)  In other words, 
> I'm saying 
> that configuration validation is better than vulnerability 
> testing for 
> almost all classes of electronic attack.

I completely agree that it's impossible to determine the overall 
security posture of a system by running any vulnerability scanner. In my 
previous incarnation as a security consultant, I've seen too many people 
pass off the output from a scanner and say "Here's your main exposures", 
or worse yet, to say "You're secure" when the scanner found nothing!

But I do think that vulnerability scanners have a place, in that they 
give the system administrators and architects the ability to find and 
remediate a lot of the more common exposures, like the IIS 
vulnerabilities that seem to be present on anything Microsoft, etc. 

I've seen times (not at my current employer, thankfully) where there was 
a lot of political backlash about not wanting the InfoSec guys to do a 
hands-on. Running a scanner and presenting the results to management 
usually demonstrated that there was significant risk in the system to 
warrant a more formal review.

But overall, I think you're right, scanning by itself is worthless, and 
could cause more harm than no scanning at all.

--
Richard Jankowski
Senior Security Analyst
Information Security 
Memorial Sloan-Kettering Cancer Center
1050 Wall Street West - 5th Floor
Lyndhurst, NJ 07071
Ph: 201-635-5429
Fax: 201-507-1909

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards