On Thu, Sep 06, 2001 at 02:41:35AM -0400, Wertheimer, Ishai wrote: > An e-commerce site is supposed to have an application layer or isn't it ? > What about auditing the application on top? > > Many e-commerce sites have been hacked although you wouldn't find any > vulnerability by running Nessus or such ! <off topic, self promotion> Actually, Nessus 1.1.x has some plugins dedicated to the analysis of CGIs. This is not as good as a humain brain with at least a two-digit IQ, but that's better than just doing nothing. (it will catch trivial things such as param=../../../../etc/passwd%00 and such, but not dir=/etc&file=passwd, even though the later seems trivial to any human being). </off topic. Sorry for that> But I agree with you - no automated tool can do a security _audit_. There's more to a security audit than just flashing redlights and showing /etc/passwd to the management. Policies have to be read and correlated with the real life on the network. Services that do not match the policy should be told to be disabled, even if they're not vulnerable to anything. A security audit is first a matter of checking that kind of thing rather than licensing the list of vulnerabilities on a network. Vulnerabilities appear and disappear every day. The policy never changes. -- Renaud -- Renaud Deraison The Nessus Project http://www.nessus.org ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 10:51:13 PDT