RE: [fw-wiz] VA vs PT tool

From: Ben Nagy (
Date: 06/13/03

  • Next message: Devdas Bhagat: "[fw-wiz] HTTPS, proxies, and remote developers."
    To: <>, <>
    Date: Fri, 13 Jun 2003 20:33:15 +0200

    > -----Original Message-----
    > From:
    > [] On Behalf
    > Of[...]
    > Hi fw-wiz,
    > i posted some time on the list a couple of months back for
    > some recommendations on a good VA tool.
    > The bulk of the responses pointed to ISS, NetRecon and Vigilante.

    I don't work for any of them, but I am currently in the space, and this
    may be considered a disclaimer. :)

    > However, a VA tool is limited, in that it only stops at the
    > vulnerability.
    > I'm looking at a Pen Test tool that not only does the VA
    > functionality but also exploit the vulnerability thus
    > defining it as a real THREAT and not just a vulnerability.
    > Is there a widely accepted tool on the market right now ?

    I'll answer this question in two parts.

    a) Nessus is the closest you'll get to an "aggressive" VA tool. In some
    cases it will try to exploit vulnerabilities if you tell it to. CAVEAT -
    go read the recent thread on vuln-dev about what nessus does to
    production networks. (this is not to say I don't like nessus, I just
    wouldn't run it on a production network - navré Renaud. ;)

    b) I would submit that you don't really want to do that.

    Let me ramble.

    Back to basics time - any business RISK is made up of three things. A
    VULNERABILITY, which is a problem or a 'hole' or a bug or whatever. A
    THREAT, which is also called an attack vector - a way this vulnerability
    can be attacked. If you have a vulnerability but no threat then you
    don't have a problem. Finally, for there to be a risk there must be a
    NEGATIVE OUTCOME - if one of my servers gets hacked but there is no
    negative outcome (eg the server is a honeypot [1]) then there is no

    So, with that in mind, I would say that your distinction above about the
    difference between a vulnerability and a threat isn't quite right. A
    more accurate tool is better, because it's good to know exactly what
    your vulnerabilities are in order to assess risk. However, the
    difference between an INTRUSIVE and a NON-INTRUSIVE tool is basically
    just one of accuracy; in theory, intrustive tools are more accurate. In
    practice, I would question that. And, in addition, in reality most
    people don't want to be running intrusive tools on their production
    networks. The gain in accuracy isn't worth the loss in productivity when
    things fall over.

    My take on the industry at the moment is that most of the leading tools
    are OK at finding vulnerabilities [2], although I happen to genuinely
    believe that ours is the best and most flexible (honest!)[3]. None of
    the tools are very good at telling you what your threats are, because
    this is virtually impossible to do with a tool. And only a few of the
    tools have any sort of interface to try and correlate things with the
    negative outcome, or potential loss - and the ones that do are so
    rudimentary that they don't get me very excited. What does this say to
    me? That we still need a security person with a brain to parse the
    results of all the tools. However, I really think that organisations
    that are trying to seriously assess business risk without some form of
    VA are just Making Crap Up.


    [1] Like the ISS server that got hacked, which was....a honeypot! Sure.
    Nothing to see here. Move along, we're a hedge.[4]
    [2] I would only consider two of the tools you mentioned as belonging to
    that category.
    [3] No way is this plug getting past Paul if I mention the company. :D
    [4] Nobody will get this comic reference, but that's OK. Ninjas. They're

    firewall-wizards mailing list

  • Next message: Devdas Bhagat: "[fw-wiz] HTTPS, proxies, and remote developers."