Penetration Testing mailing list archives
RE: Revising it [Vulnerability Scanning Doesn't Work]
From: "Steve Armstrong" <stevearmstrong () logicallysecure com>
Date: Thu, 8 Jan 2009 23:09:31 -0000
Adriel, This is not meant to be confrontational despite sounding that way, but in the interest of brevity - I thought this was a mail list and not a bloggers hijack point. I am sure you blog is interesting to some, but I would rather not get every post rammed down my inbox, I didn't sign up for that - it wasn't a check box on the security focus web site signup page. And let's think about this, what makes you so special - if everyone auto emailed their blog posts the mail list would rapidly lose its value. So as a suggestion why not keep your blog posts on.... your blog, and leave the mail list to being a mail list. Keeping it simple. Steve A -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Adriel T. Desautels Sent: 08 January 2009 18:54 To: ArcSighter Elite Cc: me () abegetchell com; pen-test () securityfocus com; 'Security Basics' Subject: Revising it [Vulnerability Scanning Doesn't Work] To all of you who have commented: My last entry/article received a lot of input from a lot of different people. Some of the people were emotional, insulting and just not constructive but yet still amusing. Others were highly constructive and offered their perspective on what it was that I published. My goal with the blog is to make it an informational resource that is accurate and truthful. As such, I am going to make a few more modifications to the entry as to accommodate some things that I left out. Would the readers of this list rather that I post the entire blog entry to the list? Would the rather that I post a link? Or would they rather that I just not post here at all? I've set up a poll on the blog if you're interested in participating. The last thing that I want to do is to force my views down anyone's throats. Anyway, thank you again for the comments, I'm trying to keep it real. On Jan 8, 2009, at 1:03 PM, ArcSighter Elite wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Abe Getchell wrote:Hey Adriel, The title and opening paragraph of your blog post are quite misleading and rather reckless. There is definitely a false sense of security that is sold to some organizations by the developers of vulnerability scanning tools, but that is the fault of the purchasing organization (due to a lack of education and unqualified individuals making decisions), not those companies pushing their product. It's a consumer problem, not a technology or process problem, which you seem to describe it as in the bulk of your blog post. Vulnerability scanning tools can have a wonderfully awesome impact on your security posture if they're used in a manner in which they function adequately; as a compliance tool. While I understand the sales aspect of your blog post, what your customers (and any other organization investigating this type of technology) should understand is that they should not be "using a team of talented hackers for security testing instead of relying on automated vulnerability scanners", but rather "using a team of talented hackers AND vulnerability scanners for security testing and compliance". See ya, AbeI agree. IMHO, a pen-testers team is a must-use for any penetration testing scenario; they should be experienced people and the matter if they use vuln scanners or not, is of their choice. I see over and over (even in this list) post such as: "I'm doing a penetration test against a company. After running Acunetix, it show reports of x sql injection vulnerabilities. How can I probe my customer this is a high risk vuln? (...)" What company could trust their security to such case? I think no-one with a little of common sense. Vuln scanners are useful, but as I said, as with most tools, the human knowledge is the real factor. When you combine both they you get pen- test. Honestly. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJZj/iH+KgkfcIQ8cRAusCAJ97dUxaYh0EVIr1b6x8CP3iBT8JUwCfTc3O gwCsn8ac113S5HT8eGP1S0U= =e2nz -----END PGP SIGNATURE-----
Adriel T. Desautels ad_lists () netragard com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com The information contained in this e-Mail and any subsequent correspondence is private and is intended solely for the intended recipient(s). The information in this communication may be confidential and/or legally privileged. Nothing in this e-mail is intended to conclude a contract on behalf of Logically Secure Ltd or make Logically Secure Ltd subject to any other legally binding commitments, unless the e-mail contains an express statement to the contrary or incorporates a formal Purchase Order. For persons other than the intended recipient any disclosure, copying, distribution, or any action taken or omitted to be taken in reliance on such information is prohibited and may be unlawful. Registered in England and Wales No: 05967368. Registered Office: 36 Tudor Road, Lincoln, LN6 3LL.
Attachment:
smime.p7s
Description:
Current thread:
- Vulnerability Scanning Doesn't Work Adriel T. Desautels (Jan 08)
- RE: Vulnerability Scanning Doesn't Work Abe Getchell (Jan 09)
- Re: Vulnerability Scanning Doesn't Work ArcSighter Elite (Jan 09)
- Revising it [Vulnerability Scanning Doesn't Work] Adriel T. Desautels (Jan 09)
- RE: Revising it [Vulnerability Scanning Doesn't Work] Steve Armstrong (Jan 09)
- Message not available
- Re: Revising it [Vulnerability Scanning Doesn't Work] Adriel T. Desautels (Jan 11)
- Re: Vulnerability Scanning Doesn't Work ArcSighter Elite (Jan 09)
- RE: Vulnerability Scanning Doesn't Work Abe Getchell (Jan 09)
- Re: Vulnerability Scanning Doesn't Work NeZa (Jan 11)
- Re: Vulnerability Scanning Doesn't Work Adriel T. Desautels (Jan 11)
- Re: Vulnerability Scanning Doesn't Work Adriel T. Desautels (Jan 11)