[9493] in bugtraq
Re: ISS Internet Scanner Cannot be relied upon for conclusive
daemon@ATHENA.MIT.EDU (Ulf Munkedal)
Thu Feb 11 20:00:28 1999
Date: Wed, 10 Feb 1999 23:13:22 +0100
Reply-To: Ulf Munkedal <munkedal@N-M.COM>
From: Ulf Munkedal <munkedal@N-M.COM>
To: BUGTRAQ@NETSPACE.ORG
Interesting discussion but everyone seems to be missing the basic point
here. The point lies in the question: "what is the exact passed/failed
criteria for each test?". An elementary part of any QA testing.
If the passed/failed criteria is not know then it's _very_ difficult to use
the result. And this is a basic problem with a lot of security scanners out
there today, including the Internet Scanner. What exactly is the criteria
for stating a vulnerability as found or not found? All vendors could do a
far better job on documenting this.
We use a lot of tools (commercial, expoits, scripts etc) and have written a
lot of our own stuff. And very often teh problem with any tool boils down
to the passed/failed criteria for each test executed by that specific tool.
E.g. of the more than 1500 vulnerabilities we have found on over 400
systems we have tested so far we have found 36% of all the vulnerabilities
manually. The tools were only able to find 64% of them... An important
reason for this is lack of correct or even just documented passed/failed
criteria. Simple but true.
Ulf
---
Ulf Munkedal
Partner
Neupart & Munkedal
http://www.n-m.com
Tel +45 7020 6565
Fax +45 7020 6065
Public PGP Key: http://www.n-m.com/pgp/
---
SecureTest
- Vished for Internet-sikkerhed
