Penetration Testing mailing list archives
Re: Security Audit
From: Renaud Deraison <deraison () cvs nessus org>
Date: Thu, 6 Sep 2001 23:52:28 -0400
On Thu, Sep 06, 2001 at 02:41:35AM -0400, Wertheimer, Ishai wrote:
An e-commerce site is supposed to have an application layer or isn't it ? What about auditing the application on top? Many e-commerce sites have been hacked although you wouldn't find any vulnerability by running Nessus or such !
<off topic, self promotion> Actually, Nessus 1.1.x has some plugins dedicated to the analysis of CGIs. This is not as good as a humain brain with at least a two-digit IQ, but that's better than just doing nothing. (it will catch trivial things such as param=../../../../etc/passwd%00 and such, but not dir=/etc&file=passwd, even though the later seems trivial to any human being). </off topic. Sorry for that> But I agree with you - no automated tool can do a security _audit_. There's more to a security audit than just flashing redlights and showing /etc/passwd to the management. Policies have to be read and correlated with the real life on the network. Services that do not match the policy should be told to be disabled, even if they're not vulnerable to anything. A security audit is first a matter of checking that kind of thing rather than licensing the list of vulnerabilities on a network. Vulnerabilities appear and disappear every day. The policy never changes. -- Renaud -- Renaud Deraison The Nessus Project http://www.nessus.org ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Re: Security Audit, (continued)
- Re: Security Audit Philipp Buehler (Sep 06)
- Re: Security Audit bacano (Sep 06)
- Re: Security Audit Philipp Buehler (Sep 06)
- Re: Security Audit bacano (Sep 05)
- Re: Security Audit JCovington (Sep 05)
- Re: Security Audit bacano (Sep 06)
- RE: Security Audit PM Systems - Rick Woehler (Sep 05)
- Re: Security Audit H Carvey (Sep 06)
- RE: Security Audit Filer, Eddie (ZA - Johannesburg) (Sep 06)
- RE: Security Audit Wertheimer, Ishai (Sep 06)
- Re: Security Audit Erik Tayler (Sep 06)
- Re: Security Audit Renaud Deraison (Sep 07)
- Re: Security Audit Justin Stanford (Sep 07)
- Re: Security Audit bacano (Sep 10)
- RE: Security Audit Roberts, Kevin S (Sep 06)
- RE: Security Audit Ogle Ron (Rennes) (Sep 06)
- Re: Security Audit bluefur0r bluefur0r (Sep 06)
- Re: Security Audit Rob J Meijer (Sep 07)
- RE: Security Audit Aleksander Czarnowski (Sep 07)
- RE: Security Audit Ogle Ron (Rennes) (Sep 10)
- Re: Security Audit H Carvey (Sep 10)
- Re: Security Audit bacano (Sep 10)