[9499] in bugtraq
Wrap-up to ISS thread
daemon@ATHENA.MIT.EDU (Mr. joej)
Fri Feb 12 00:30:37 1999
Date: Thu, 11 Feb 1999 09:30:38 PST
Reply-To: "Mr. joej" <mr_joej@HOTMAIL.COM>
From: "Mr. joej" <mr_joej@HOTMAIL.COM>
To: BUGTRAQ@NETSPACE.ORG
ISS is not alone.
There is an interesting lesson to be learned here. While 'false
positives' are easy to spot (if you admin the box), 'false negatives'
are not so easy to identify. Both do exist in all security scanner
products I have seen.
I do believe that there should probably be some more documentation on
ISS's part. However the same goes for other vendors. There are many
ways to deal with 'false negatives' such as printing a list of
everything that the product scans for and saying 'hey I tested these
vulnerabilities, I don't think your vulnerable, but can't prove it
100%'. In my opinion that is not acceptable. So what does that
mean....
Well my take on it is this. No commerical product will provide an
absolute vulnerability list 100% of the time. Once again proving that
there will always be a market for 'true' security professionals.
my last 2 cents ....
joej
Mr_JoeJ@hotmail.com
--------------------------------
aleph1: lets kill this thread, I'm tired of getting email bout it.
Let's move to fry bigger fish.
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
