Re: vulnerability scanners not effective? or just a false-positive?

From: Pete Herzog (lists@isecom.org)
Date: Fri Mar 31 2006 - 06:57:28 EST

• Next message: Shenk, Jerry A: "RE: Wireless Audit Reports"
• Previous message: steven@lovebug.org: "Re: Wireless Audit Reports"
• In reply to: Craig Wright: "RE: vulnerability scanners not effective? or just a false-positive?"
• Next in thread: Joel Jose: "Re: vulnerability scanners not effective? or just a false-positive?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Craig,

You like to keep on my toes, that's for sure.

> Pete stated: default banners ..."wouldn't be the threat, they would be
> the vulnerability if you're talking Risk"
>
> I would not even classify them as a vulnerability. They may form a part
> of an attack vector or a link in an attack tree, but not a
> vulnerability.

You're right. I got sloppy and should have said "on the vulnerability
side" but didn't consider to remark on attack trees in my answer.

> Knowing the structure of the web site is not in itself a risk or
> vulnerability. It can comprise a branch in an attack tree, but can not
> facilitate an attack in itself.

Actually, it can facilitate an attack. Information does make an attack
easier to propagate.

>
> In response to "Risk is relative to the organization not to you." This
> depends on the method used to determine risk. A "fluffy" qualitative
> risk analysis (there are better or worse qualitative techniques) based
> on opinion will fit this description. A detailed quantitative analysis
> using Stochastically defined models and a Bayesian likelihood analysis,
> maybe even integrating Bayesian linguistic techniques is fairly
> definitive no matter where you are.

Nothing fluffy. Nothing qualitative either. Risk is indeed always
relative to the level of involvement and cost in taking the risk. You
can have all the models in the world but risk is still a preference
based on what one values.

Sincerely,
-pete.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/forms/ec.php?pubid=10025
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com
------------------------------------------------------------------------------

• Next message: Shenk, Jerry A: "RE: Wireless Audit Reports"
• Previous message: steven@lovebug.org: "Re: Wireless Audit Reports"
• In reply to: Craig Wright: "RE: vulnerability scanners not effective? or just a false-positive?"
• Next in thread: Joel Jose: "Re: vulnerability scanners not effective? or just a false-positive?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:46 EDT