Re: Qualys

[Ben Nelson <lists () venom600 org>]

Curt Purdy wrote:
> FYI, I did an analysis of a bank's (not mine) vuln test by Qualys and EVERY
> "found vulnerability" was a false positive i.e. a found Apache vuln on an
> IIS server.  I would never spend good money using them.  

FWIW: I use Qualys on a daily basis and have found some false-positives
from time to time.  Every time I find a FP, though, I contact Qualys and
they work pretty diligently to tweak their scanning engine and/or
signatures as necessary to correct the issue.  They take false positives
pretty seriously (they have to if they want to be ranked among the
best).  I've been really pleased with the solution so far and use it to
scan over a thousand IP addresses daily.

That being said:  Any solution employed for this type of testing should
always have a knowledgable human behind it, validating the results.
This is probably not a ground-breaking concept for anyone here, but it's
a concept that can always use re-enforcement.

--Ben

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------