From: Ben Nelson (lists@venom600.org)
Date: Thu Feb 09 2006 - 17:08:24 EST
Curt Purdy wrote:
> FYI, I did an analysis of a bank's (not mine) vuln test by Qualys and EVERY
> "found vulnerability" was a false positive i.e. a found Apache vuln on an
> IIS server. I would never spend good money using them.
>
FWIW: I use Qualys on a daily basis and have found some false-positives
from time to time. Every time I find a FP, though, I contact Qualys and
they work pretty diligently to tweak their scanning engine and/or
signatures as necessary to correct the issue. They take false positives
pretty seriously (they have to if they want to be ranked among the
best). I've been really pleased with the solution so far and use it to
scan over a thousand IP addresses daily.
That being said: Any solution employed for this type of testing should
always have a knowledgable human behind it, validating the results.
This is probably not a ground-breaking concept for anyone here, but it's
a concept that can always use re-enforcement.
--Ben
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:29 EDT