Penetration Testing mailing list archives
Re: Qualys
From: Ben Nelson <lists () venom600 org>
Date: Thu, 09 Feb 2006 15:08:24 -0700
Curt Purdy wrote:
FYI, I did an analysis of a bank's (not mine) vuln test by Qualys and EVERY "found vulnerability" was a false positive i.e. a found Apache vuln on an IIS server. I would never spend good money using them.
FWIW: I use Qualys on a daily basis and have found some false-positives from time to time. Every time I find a FP, though, I contact Qualys and they work pretty diligently to tweak their scanning engine and/or signatures as necessary to correct the issue. They take false positives pretty seriously (they have to if they want to be ranked among the best). I've been really pleased with the solution so far and use it to scan over a thousand IP addresses daily. That being said: Any solution employed for this type of testing should always have a knowledgable human behind it, validating the results. This is probably not a ground-breaking concept for anyone here, but it's a concept that can always use re-enforcement. --Ben ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Qualys, (continued)
- Re: Qualys US Infosec (Feb 07)
- Re: Qualys David M. Zendzian (Feb 07)
- Re: Qualys Byron Sonne (Feb 08)
- Re: Qualys Justin Ferguson (Feb 09)
- Re: Qualys Byron Sonne (Feb 09)
- Re: Qualys US Infosec (Feb 09)
- Re: Qualys Sugiowono (Feb 10)
- Message not available
- Re: Qualys Christoph Puppe (Feb 12)
- Re: Qualys US Infosec (Feb 07)
- Re: Qualys Gail Thorpe (Feb 09)
- Re: Qualys Curt Purdy (Feb 09)
- Re: Qualys Ben Nelson (Feb 09)
- Re: Qualys Ivan Arce (Feb 13)
- Re: Qualys Amit (Feb 12)
- Re: Qualys Byron Sonne (Feb 11)