RE: Qualys

From: Evans, Arian (Arian.Evans@fishnetsecurity.com)
Date: Fri Feb 10 2006 - 12:48:03 EST

• Next message: Levenglick, Jeff: "RE: Penetration test of 1 IP address"
• Previous message: Evans, Arian: "RE: sql injection: url or form based?"
• Maybe in reply to: DWreck: "RE: Qualys"
• Next in thread: Byron Sonne: "Re: Qualys"
• Reply: Byron Sonne: "Re: Qualys"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> Curt Purdy wrote:
> > FYI, I did an analysis of a bank's (not mine) vuln test by
> Qualys and EVERY "found vulnerability" was a false positive
> i.e. a found Apache vuln on an IIS server. I would never spend
> good money using them.

We used to have an annual scanner bake-off here at my employer,
and Qualys was consistently one of the top performers. I haven't
kept up with the product recently, but this doesn't sound like
the Qualys I worked with.

We vigorously debated tests and results, from cross-site tracing
to buffer overflows in some old Netscape libraries. Qualys was
one of a small handful of vendors who gave us direct access to
their developers (Qualys, eEye, NGS come to mind) and the only
vendor that actually provided us source code for exploit tests
so that we could manually verify on our end what was being
performed by the checks.

Your description does not sound like the Qualys I worked with.

I find that human analysis is critical in these situations. If
you trust the vendor has properly built checks, then finding an
"apache vuln on an IIS server" would make me inspect and see
what exactly was going on, and make sure that it is a false
positive, and someone isn't running some Apache or apache-library
related code on the IIS server.

In the example of the above mentioned Netscape libraries, they
were being used by another unrelated code base. The developers of
the vulnerable product even assured us the libraries were not being
used. After manually verifying the tests on this product, someone
finally admitted they had re-used some old Netscape code.

Qualys identified the wrong webserver package, but the right
buffer overflow. I'm okay with that,

-ae

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Levenglick, Jeff: "RE: Penetration test of 1 IP address"
• Previous message: Evans, Arian: "RE: sql injection: url or form based?"
• Maybe in reply to: DWreck: "RE: Qualys"
• Next in thread: Byron Sonne: "Re: Qualys"
• Reply: Byron Sonne: "Re: Qualys"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:29 EDT