Penetration Testing mailing list archives
RE: Qualys
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Fri, 10 Feb 2006 11:48:03 -0600
-----Original Message----- Curt Purdy wrote:FYI, I did an analysis of a bank's (not mine) vuln test byQualys and EVERY "found vulnerability" was a false positive i.e. a found Apache vuln on an IIS server. I would never spend good money using them.
We used to have an annual scanner bake-off here at my employer, and Qualys was consistently one of the top performers. I haven't kept up with the product recently, but this doesn't sound like the Qualys I worked with. We vigorously debated tests and results, from cross-site tracing to buffer overflows in some old Netscape libraries. Qualys was one of a small handful of vendors who gave us direct access to their developers (Qualys, eEye, NGS come to mind) and the only vendor that actually provided us source code for exploit tests so that we could manually verify on our end what was being performed by the checks. Your description does not sound like the Qualys I worked with. I find that human analysis is critical in these situations. If you trust the vendor has properly built checks, then finding an "apache vuln on an IIS server" would make me inspect and see what exactly was going on, and make sure that it is a false positive, and someone isn't running some Apache or apache-library related code on the IIS server. In the example of the above mentioned Netscape libraries, they were being used by another unrelated code base. The developers of the vulnerable product even assured us the libraries were not being used. After manually verifying the tests on this product, someone finally admitted they had re-used some old Netscape code. Qualys identified the wrong webserver package, but the right buffer overflow. I'm okay with that, -ae ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Qualys, (continued)
- Re: Qualys Sugiowono (Feb 10)
- Message not available
- Re: Qualys Christoph Puppe (Feb 12)
- Re: Qualys Gail Thorpe (Feb 09)
- Re: Qualys Curt Purdy (Feb 09)
- Re: Qualys Ben Nelson (Feb 09)
- Re: Qualys Ivan Arce (Feb 13)
- Re: Qualys Amit (Feb 12)
- Re: Qualys Byron Sonne (Feb 11)