Comments on: 3 Reasons why Automated Vulnerability Scanning does not work http://www.ivizsecurity.com/blog/penetration-testing/what-everybody-ought-to-know-about-free-vulnerability-scanning/ The Authoritative Blog on Penetration Testing Thu, 13 Oct 2011 11:49:03 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Vasant http://www.ivizsecurity.com/blog/penetration-testing/what-everybody-ought-to-know-about-free-vulnerability-scanning/comment-page-1/#comment-3248 Vasant Fri, 05 Mar 2010 06:57:35 +0000 http://www.ivizsecurity.com/blog/?p=99#comment-3248 Lets see if Pen-tests could live up what the 3 reasons. R#1 Pentests also will only CONFIRM the existence of the vulnerability and that its exploitable, BUT still doesn't protect the network. R#2 So how will the patch availablity or its unavailibility be solved by Pen-testing. If you have a vulnerability which has been proved to be exploitable by a pen-test AND still you don't have a patch -- you still at square 1. R#3 Yes agree false positives is a problem with VA tools and pen-testing can help confirm a vulnerability but thats not a reason why VA tools work. Without VA you couldn't even think of pen-testing. Could you have done the pen-test without the knowledge of the vulnerability. Point is VA is not the end all. Pen-testing can help in confirming the vulnerability or not but saying VA don't work is not correct. Its like you want to show humans bones can withstand more than twice the human body weight. I don't need to lift a 150 kg to show it everytime. If its proved, people do get the message. Love to hear your comments. Lets see if Pen-tests could live up what the 3 reasons.

R#1 Pentests also will only CONFIRM the existence of the vulnerability and that its exploitable, BUT still doesn’t protect the network.

R#2 So how will the patch availablity or its unavailibility be solved by Pen-testing. If you have a vulnerability which has been proved to be exploitable by a pen-test AND still you don’t have a patch — you still at square 1.

R#3 Yes agree false positives is a problem with VA tools and pen-testing can help confirm a vulnerability but thats not a reason why VA tools work. Without VA you couldn’t even think of pen-testing. Could you have done the pen-test without the knowledge of the vulnerability.

Point is VA is not the end all. Pen-testing can help in confirming the vulnerability or not but saying VA don’t work is not correct. Its like you want to show humans bones can withstand more than twice the human body weight. I don’t need to lift a 150 kg to show it everytime. If its proved, people do get the message.

Love to hear your comments.

]]> By: Vasant http://www.ivizsecurity.com/blog/penetration-testing/what-everybody-ought-to-know-about-free-vulnerability-scanning/comment-page-1/#comment-3247 Vasant Fri, 05 Mar 2010 06:47:26 +0000 http://www.ivizsecurity.com/blog/?p=99#comment-3247 So you mean to say we should all stop doing VA .. and just do Pen tests .. Wonder how pen-tests know about vulnerabilities, if they don't scan for vulnerabilities. Hmmm. ... So you mean to say we should all stop doing VA .. and just do Pen tests .. Wonder how pen-tests know about vulnerabilities, if they don’t scan for vulnerabilities.

Hmmm. …

]]> By: penetration testers - StartTags.com http://www.ivizsecurity.com/blog/penetration-testing/what-everybody-ought-to-know-about-free-vulnerability-scanning/comment-page-1/#comment-3056 penetration testers - StartTags.com Thu, 28 Jan 2010 08:48:19 +0000 http://www.ivizsecurity.com/blog/?p=99#comment-3056 [...] Security and Pen Testers need to know to get the job done | Ajit Gaddam: TechNews and Security ...3 Reasons why Automated Vulnerability Scanning does not workResults from Automated Vulnerability scanning is often misleading while managing the security of a [...] [...] Security and Pen Testers need to know to get the job done | Ajit Gaddam: TechNews and Security …3 Reasons why Automated Vulnerability Scanning does not workResults from Automated Vulnerability scanning is often misleading while managing the security of a [...]

]]>