Re: Scanners and unpublished vulnerabilities - Full Disclosure
From: Muhammad Faisal Rauf Danka (mfrd@attitudex.com)Date: 05/29/02
- Previous message: Deus, Attonbitus: "RE: Scanners and unpublished vulnerabilities - Full Disclosure"
- Maybe in reply to: Alfred Huger: "Scanners and unpublished vulnerabilities - Full Disclosure"
- Next in thread: Vanja Hrustic: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 May 2002 04:13:20 -0700 (PDT) From: Muhammad Faisal Rauf Danka <mfrd@attitudex.com> To: pen-test@securityfocus.com
This will benefit nobody but the company itself and It's customers.
I dont find it very bad, besides this company has an offer which will (somehow) help pen-testers, security administrators / consultants, so why don't we expect them to raise financial benefits from it?
Hate towards them is just like hate towards BillGates, BillGates is alive and kicking, let them do that as well.
the following para from the NGSS website seems so sensible:
>>>>The VNA system addresses goal (2) by ensuring the transparency of the patch process. It is in the customer's interests that all security issues in a particular vendor's software are clearly stated; historically this has not always been the case, and vendors have "rolled up" many security patches into a single patch, "service pack" or release. The VNA system encourages a finer granularity for the identification of security problems, thereby allowing customers to identify all of the problems relating to a particular product, and not just the number of patches. This obviously assists in goal (3).
----So I guess it's all good, those who won't use it will still survive, most of the pen testers will still continue to use old known bugs for their work. As far as for NGSS to think of keeping their vuln-info inside their scanners is concerned, I don't think it can be achieved, people with reverse engineering / sniffing etc, will get to the info, so that would be a lost call.
Atlast , It's just another product / service, It won't bother anyone (except slow patching vendors) in my opinion (but hey i maybe completely wrong). =)
Regards, --------- Muhammad Faisal Rauf Danka
Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk voice: 92-021-111-GEMNET
Vice President Pakistan Computer Emergency Responce Team (PakCERT) web: www.pakcert.org
Chief Security Analyst Applied Technology Research Center (ATRC) web: www.atrc.net.pk voice: 92-21-4980523 92-21-4974781
"Great is the Art of beginning, but Greater is the Art of ending. "
------END GEEK CODE BLOCK------ Version: 3.1 GCS/CM/P/TW d- s: !a C++ L$ U+++ P+ L+++ E--- W+ N+ o+ K- w-- O- PS PE- Y- PGP+ t+ X R tv+ b++ DI+ D G e++ h! r+ y+ ------END GEEK CODE BLOCK------
--- Alfred Huger <ah@securityfocus.com> wrote: ><SNIP>
_____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ ---------------------------
_____________________________________________________________ Promote your group and strengthen ties to your members with email@yourgroup.org by Everyone.net http://www.everyone.net/?btn=tag
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
- Previous message: Deus, Attonbitus: "RE: Scanners and unpublished vulnerabilities - Full Disclosure"
- Maybe in reply to: Alfred Huger: "Scanners and unpublished vulnerabilities - Full Disclosure"
- Next in thread: Vanja Hrustic: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
