Re: [fw-wiz] VA vs PT tool

From: Cat Okita (
Date: 06/15/03

  • Next message: Barney Wolff: "Re: [fw-wiz] HTTPS, proxies, and remote developers."
    To: Gregory Austin <>
    Date: Sun, 15 Jun 2003 13:19:42 -0400 (EDT)

    On Fri, 13 Jun 2003, Gregory Austin wrote:
    > Of course Ben's response also included what I think is an unjust shot
    > at Nessus. In my experience *all* of the tools are capable of screwing up
    > something on a production network, not just Nessus. Configured correctly
    > Nessus is no worse than most and better than some. IMNSHO Nessus is the
    > only product in this class that is worth as much or more than what you paid
    > for it. I'm often in the position of testing with both Nessus and another
    > (commercial) vulnerability assessment tool, and I've found that the biggest
    > difference between them is fairly small--their results mostly overlap, with
    > each one finding something useful the other didn't. Of course the other
    > not so minor difference is the $20,000 gap between the two when it comes to
    > testing a large environment. There are legitimate places to pick on Nessus
    > (occasional instability and weak data manipulation/reporting are a couple
    > that jump to mind) but I think suggesting it will burn down your network is
    > a bit silly. I've used it on plenty of production networks, and many of my
    > customers run it regularly on their production networks--with no unusual
    > amount of pain and suffering.

    I believe that you're missing the point. Correctly configured, most
    products don't cause problems. Correctly configured is in the vast
    minority (or most of us would be out of a job).

    Nessus has been repeatedly documented to Do Bad Things (tm) on production
    (and other) networks. Certainly other products -can- cause problems - but
    an untweaked nessus run -always- causes problems.

    "A cat spends her life conflicted between a deep, passionate and profound
    desire for fish and an equally deep, passionate and profound desire to
    avoid getting wet. This is the defining metaphor of my life right now."

    firewall-wizards mailing list

  • Next message: Barney Wolff: "Re: [fw-wiz] HTTPS, proxies, and remote developers."