Penetration Testing mailing list archives
Re: Vulnerability Scanning Doesn't Work
From: ArcSighter Elite <arcsighter () gmail com>
Date: Thu, 08 Jan 2009 13:03:14 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Abe Getchell wrote:
Hey Adriel, The title and opening paragraph of your blog post are quite misleading and rather reckless. There is definitely a false sense of security that is sold to some organizations by the developers of vulnerability scanning tools, but that is the fault of the purchasing organization (due to a lack of education and unqualified individuals making decisions), not those companies pushing their product. It's a consumer problem, not a technology or process problem, which you seem to describe it as in the bulk of your blog post. Vulnerability scanning tools can have a wonderfully awesome impact on your security posture if they're used in a manner in which they function adequately; as a compliance tool. While I understand the sales aspect of your blog post, what your customers (and any other organization investigating this type of technology) should understand is that they should not be "using a team of talented hackers for security testing instead of relying on automated vulnerability scanners", but rather "using a team of talented hackers AND vulnerability scanners for security testing and compliance". See ya, Abe
I agree. IMHO, a pen-testers team is a must-use for any penetration testing scenario; they should be experienced people and the matter if they use vuln scanners or not, is of their choice. I see over and over (even in this list) post such as: "I'm doing a penetration test against a company. After running Acunetix, it show reports of x sql injection vulnerabilities. How can I probe my customer this is a high risk vuln? (...)" What company could trust their security to such case? I think no-one with a little of common sense. Vuln scanners are useful, but as I said, as with most tools, the human knowledge is the real factor. When you combine both they you get pen-test. Honestly. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJZj/iH+KgkfcIQ8cRAusCAJ97dUxaYh0EVIr1b6x8CP3iBT8JUwCfTc3O gwCsn8ac113S5HT8eGP1S0U= =e2nz -----END PGP SIGNATURE-----
Current thread:
- Vulnerability Scanning Doesn't Work Adriel T. Desautels (Jan 08)
- RE: Vulnerability Scanning Doesn't Work Abe Getchell (Jan 09)
- Re: Vulnerability Scanning Doesn't Work ArcSighter Elite (Jan 09)
- Revising it [Vulnerability Scanning Doesn't Work] Adriel T. Desautels (Jan 09)
- RE: Revising it [Vulnerability Scanning Doesn't Work] Steve Armstrong (Jan 09)
- Message not available
- Re: Revising it [Vulnerability Scanning Doesn't Work] Adriel T. Desautels (Jan 11)
- Re: Vulnerability Scanning Doesn't Work ArcSighter Elite (Jan 09)
- RE: Vulnerability Scanning Doesn't Work Abe Getchell (Jan 09)
- Re: Vulnerability Scanning Doesn't Work NeZa (Jan 11)
- Re: Vulnerability Scanning Doesn't Work Adriel T. Desautels (Jan 11)
- Re: Vulnerability Scanning Doesn't Work Adriel T. Desautels (Jan 11)