Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > pen-test > 03 > 040594.html (Request Expert securityfocus.com Support)

Re: False-negatives in several Vulnerability Assessment tools

From: Jimi Thompson <jimit(at)myrealbox.com>
Date: Wed Apr 16 2003 - 20:53:25 EDT

><SNIP>

</SNIP>

>My current employer, which is a Fortune 10 company, shall be
>referred to as "Ralph Co." I've been with Ralph Co for 2 years now.
>Our security there is relatively pathetic. I have had to go to
>upper managment because our security manager will run a scan at
>random and decide a given service needs to be terminated because the
>scanning tool that he's demo-ing that week says that it's a
>"critical vulnerablity". I have had to try to explain to him
>several times that he pays us a lot of money to exercise our
>professional judegement in verifying what is and is not a real
>vulerablity. His answer is that "The tool says so, so it must be."

The nadir of this process was him insisting that we shut down a "Code Red Infected Server". Too bad it turned to out be a developers Apple iBook.

My point with all this is what you do with the scans AFTER you run them. If you want intelligent analysis of the report, you get a security professional that knows how to check things manually and knows when output from the scanner looks dubious. Any reasonably intelligent person can operate the scanner software and print out the report when its done. The skill and expertise comes in interpreting the output and making meaningful suggestions that actually improve security. 

-- 
Thanks,

Ms. Jimi Thompson, CISSP, Rev.

"I'm a great believer in luck, and I find the harder I work, the more 
I have of it." -- Thomas Jefferson


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  
http://www.securityfocus.com/BlackHat-pen-test 
----------------------------------------------------------------------------
Received on Thu Apr 17 13:07:05 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:35 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library