Re: Security Audit

[Renaud Deraison <deraison () cvs nessus org>]

On Thu, Sep 06, 2001 at 02:41:35AM -0400, Wertheimer, Ishai wrote:
> An e-commerce site is supposed to have an application layer or isn't it ?
> What about auditing the application on top?
>
> Many e-commerce sites have been hacked although you wouldn't find any
> vulnerability by running Nessus or such !


<off topic, self promotion>
Actually, Nessus 1.1.x has some plugins dedicated to the analysis of
CGIs. This is not as good as a humain brain with at least a two-digit
IQ, but that's better than just doing nothing. 
(it will catch trivial things such as param=../../../../etc/passwd%00
and such, but not dir=/etc&file=passwd, even though the later seems
trivial to any human being).
</off topic. Sorry for that>


But I agree with you - no automated tool can do a security _audit_. 

There's more to a security audit than just flashing redlights and
showing /etc/passwd to the management. Policies have to be read and
correlated with the real life on the network. Services that do not match
the policy should be told to be disabled, even if they're not vulnerable
to anything.

A security audit is first a matter of checking that kind of thing rather
than licensing the list of vulnerabilities on a network. Vulnerabilities
appear and disappear every day. The policy never changes.



                                -- Renaud

-- 
Renaud Deraison
The Nessus Project
http://www.nessus.org


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/