WebApp Scanning Throwdown!
I have to apologize for errors in my original article. I missed a few findings in some of the reports, and mis-read a few items. Just to make this absolutely clear, errors in analysis of the results are my own fault, not a reflection of the products. And as stated, the configurations used were not ideal.
Please visit the downloads section for a spreadsheet providing the vulnerabilities in a matrix format and which tools identified them. Ultimately, there’s not a lot of difference though Nexpose did manage to get a couple that Nessus missed. All three tools missed quite a few more subtle vulnerabilities in the test site, however.
(With apologies to Jack Nicholson and whoever originally crafted this gem. –Jedi)
“Son, we live in a world that has networks and those networks need to be guarded by men with balls and smarts. Who’s gonna do it? You? You sniveling admin? I have greater responsibility than you can possibly fathom.
You can weep for your permissions and curse security; you have that luxury. You have the luxury of not knowing what I know: that your inconvenience, while tragic to you, probably saved exploitations and that my existence, while grotesque and incomprehensible to you, saves this network. You don’t want the truth because deep down in places you don’t talk about at staff meetings you want me on that firewall, you need me on that SIM.
We use words like audit, vulnerability and hack. We use them as the backbone of a life trying to defend this network. You use them as a punch line. I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very security I provide and then questions the manner in which I provide it. I would rather you just said “Thank You,” and went on your way. Otherwise, I suggest that you pick up a damn security manual and secure your system.
Either way, I don’t give a damn what you think you are entitled to.”
Just some quick observations here, maybe I’ll have time to write about them in more depth in the future.
- Information Security does not flow from Policy. It flows from Policy Implementation.
- You can have secure information without policy, and you can have policy but no secure information. They are not mutually inclusive.
- Always remember to use hashes in your Perl scripts to cache data that you look-up (DNS, whois, LDAP, whatever). It will make everything faster, trust me on this.