Penetration Testing mailing list archives
Re: vulnerability scanners not effective? or just a false-positive?
From: Pete Herzog <lists () isecom org>
Date: Fri, 31 Mar 2006 13:57:28 +0200
Craig, You like to keep on my toes, that's for sure.
Pete stated: default banners ..."wouldn't be the threat, they would be the vulnerability if you're talking Risk" I would not even classify them as a vulnerability. They may form a part of an attack vector or a link in an attack tree, but not a vulnerability.
You're right. I got sloppy and should have said "on the vulnerability side" but didn't consider to remark on attack trees in my answer.
Knowing the structure of the web site is not in itself a risk or vulnerability. It can comprise a branch in an attack tree, but can not facilitate an attack in itself.
Actually, it can facilitate an attack. Information does make an attack easier to propagate.
In response to "Risk is relative to the organization not to you." This depends on the method used to determine risk. A "fluffy" qualitative risk analysis (there are better or worse qualitative techniques) based on opinion will fit this description. A detailed quantitative analysis using Stochastically defined models and a Bayesian likelihood analysis, maybe even integrating Bayesian linguistic techniques is fairly definitive no matter where you are.
Nothing fluffy. Nothing qualitative either. Risk is indeed always relative to the level of involvement and cost in taking the risk. You can have all the models in the world but risk is still a preference based on what one values.
Sincerely, -pete. ------------------------------------------------------------------------------ This List Sponsored by: CenzicConcerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/forms/ec.php?pubid=10025 And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com
------------------------------------------------------------------------------
Current thread:
- vulnerability scanners not effective? or just a false-positive? Joel Jose (Mar 29)
- Re: vulnerability scanners not effective? or just a false-positive? James Davis (Mar 30)
- Re: vulnerability scanners not effective? or just a false-positive? Pete Herzog (Mar 30)
- Re: vulnerability scanners not effective? or just a false-positive? Kyle Maxwell (Mar 30)
- <Possible follow-ups>
- RE: vulnerability scanners not effective? or just a false-positive? David Ball (Mar 29)
- RE: vulnerability scanners not effective? or just a false-positive? Craig Wright (Mar 31)
- Re: vulnerability scanners not effective? or just a false-positive? Pete Herzog (Mar 31)
- Re: vulnerability scanners not effective? or just a false-positive? Joel Jose (Mar 31)