Re: False-negatives in several Vulnerability Assessment tools

From: Muhammad Faisal Rauf Danka (mfrd@attitudex.com)
Date: 04/16/03

  • Next message: Dawes, Rogan (ZA - Johannesburg): "RE: Proof of Concept Tool on Web Application Security" 
    Date: Tue, 15 Apr 2003 23:10:57 -0700 (PDT)
From: Muhammad Faisal Rauf Danka <mfrd@attitudex.com>
To: pen-test@securityfocus.com

    Very Informative article I must say,
    However,

    <quote>
    Numerous Vulnerability Assessment (VA) tools are available for security
    engineers, pen-testers and network administrators. Their results are
    mostly trusted by users since they don't have time nor competences to
    validate that output.
    </quote>

    Users should not be the one to validate the output, The result of (VA)
    tools should be thoroughly identified and manually checked by the
     
    <quote>
    security
    engineers, pen-testers and network administrators
    </quote>

    Another thing, now are we looking towards re-designing of several
    plugins for other languages and accordingly newer plugins to have
    different languages versions and it would effect several signatures in
    various (IDS) too.

    Did you contacted most if not all (VA) and (IDS) vendors regarding this,
     and what's their response?

    Regards
    --------
    Muhammad Faisal Rauf Danka

    _____________________________________________________________
    ---------------------------
    [ATTITUDEX.COM]
    http://www.attitudex.com/
    ---------------------------

    _____________________________________________________________
    Select your own custom email address for FREE! Get you@yourchoice.com w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
    world's premier event for IT and network security experts. The two-day
    Training features 6 hand-on courses on May 12-13 taught by professionals.
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor
    sales pitches. Deadline for the best rates is April 25. Register today to
    ensure your place. http://www.securityfocus.com/BlackHat-pen-test
    ----------------------------------------------------------------------------

  • Next message: Dawes, Rogan (ZA - Johannesburg): "RE: Proof of Concept Tool on Web Application Security"

    Relevant Pages

    • Re: Army Corps Of Engineers = Homeland Security
      ... Engineers land, Mike, Woody and myself started reading up on it. ... yes the Army Corps of Engineers does support ... Homeland Security, but it also is the other way around. ... Security is the Security for the Army Corps of Engineers. ...
      (alt.gathering.rainbow)
    • Re: Army Corps Of Engineers = Homeland Security
      ... Engineers land, Mike, Woody and myself started reading up on it. ... yes the Army Corps of Engineers does support ... Homeland Security, but it also is the other way around. ... Security is the Security for the Army Corps of Engineers. ...
      (alt.gathering.rainbow)
    • Re: Ethical Hacking Training
      ... building are different than those to demolish a building. ... construction engineers and there are demolition experts. ... > security engineers, does not mean you or I really know our enemy and their ... > in enforcing secure coding standards and forcing vendors to clean up ...
      (Pen-Test)
    • Re: Routing Morpheus through AOL
      ... this is NOT a group for network administrators who wish to keep people ... from running Morpheus, but a group for people to openly discuss firewalls and security issues. ... ComSocks, but if it's a data proxy that you can setup on a remote machine, you can probably ...
      (comp.security.firewalls)
    • Re: Army Corps Of Engineers = Homeland Security
      ... Engineers, first law enforcement procedure is to contact Homeland ... security. ... to go to the Army Corps of Engineers web site click on the link for ...
      (alt.gathering.rainbow)