RE: [fw-wiz] VA vs PT tool
From: Ben Nagy (ben_at_iagu.net)
To: <SimonChan@lifeisgreat.com.sg>, <email@example.com> Date: Fri, 13 Jun 2003 20:33:15 +0200
> -----Original Message-----
> From: firstname.lastname@example.org
> [mailto:email@example.com] On Behalf
> Of SimonChan@lifeisgreat.com.sg[...]
> Hi fw-wiz,
> i posted some time on the list a couple of months back for
> some recommendations on a good VA tool.
> The bulk of the responses pointed to ISS, NetRecon and Vigilante.
I don't work for any of them, but I am currently in the space, and this
may be considered a disclaimer. :)
> However, a VA tool is limited, in that it only stops at the
> I'm looking at a Pen Test tool that not only does the VA
> functionality but also exploit the vulnerability thus
> defining it as a real THREAT and not just a vulnerability.
> Is there a widely accepted tool on the market right now ?
I'll answer this question in two parts.
a) Nessus is the closest you'll get to an "aggressive" VA tool. In some
cases it will try to exploit vulnerabilities if you tell it to. CAVEAT -
go read the recent thread on vuln-dev about what nessus does to
production networks. (this is not to say I don't like nessus, I just
wouldn't run it on a production network - navré Renaud. ;)
b) I would submit that you don't really want to do that.
Let me ramble.
Back to basics time - any business RISK is made up of three things. A
VULNERABILITY, which is a problem or a 'hole' or a bug or whatever. A
THREAT, which is also called an attack vector - a way this vulnerability
can be attacked. If you have a vulnerability but no threat then you
don't have a problem. Finally, for there to be a risk there must be a
NEGATIVE OUTCOME - if one of my servers gets hacked but there is no
negative outcome (eg the server is a honeypot ) then there is no
So, with that in mind, I would say that your distinction above about the
difference between a vulnerability and a threat isn't quite right. A
more accurate tool is better, because it's good to know exactly what
your vulnerabilities are in order to assess risk. However, the
difference between an INTRUSIVE and a NON-INTRUSIVE tool is basically
just one of accuracy; in theory, intrustive tools are more accurate. In
practice, I would question that. And, in addition, in reality most
people don't want to be running intrusive tools on their production
networks. The gain in accuracy isn't worth the loss in productivity when
things fall over.
My take on the industry at the moment is that most of the leading tools
are OK at finding vulnerabilities , although I happen to genuinely
believe that ours is the best and most flexible (honest!). None of
the tools are very good at telling you what your threats are, because
this is virtually impossible to do with a tool. And only a few of the
tools have any sort of interface to try and correlate things with the
negative outcome, or potential loss - and the ones that do are so
rudimentary that they don't get me very excited. What does this say to
me? That we still need a security person with a brain to parse the
results of all the tools. However, I really think that organisations
that are trying to seriously assess business risk without some form of
VA are just Making Crap Up.
 Like the ISS server that got hacked, which was....a honeypot! Sure.
Nothing to see here. Move along, we're a hedge.
 I would only consider two of the tools you mentioned as belonging to
 No way is this plug getting past Paul if I mention the company. :D
 Nobody will get this comic reference, but that's OK. Ninjas. They're
firewall-wizards mailing list