Interesting discussion but everyone seems to be missing the basic point here. The point lies in the question: "what is the exact passed/failed criteria for each test?". An elementary part of any QA testing. If the passed/failed criteria is not know then it's _very_ difficult to use the result. And this is a basic problem with a lot of security scanners out there today, including the Internet Scanner. What exactly is the criteria for stating a vulnerability as found or not found? All vendors could do a far better job on documenting this. We use a lot of tools (commercial, expoits, scripts etc) and have written a lot of our own stuff. And very often teh problem with any tool boils down to the passed/failed criteria for each test executed by that specific tool. E.g. of the more than 1500 vulnerabilities we have found on over 400 systems we have tested so far we have found 36% of all the vulnerabilities manually. The tools were only able to find 64% of them... An important reason for this is lack of correct or even just documented passed/failed criteria. Simple but true. Ulf --- Ulf Munkedal Partner Neupart & Munkedal http://www.n-m.com Tel +45 7020 6565 Fax +45 7020 6065 Public PGP Key: http://www.n-m.com/pgp/ --- SecureTest - Vished for Internet-sikkerhed
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:50 PDT