I am only interested in host based scanners that can report on
vulnerable products. I know that

Nessus can solve this problem using credentialed scan, but what issues
are there with credentialed scans?

On 20 December 2011 02:54, Fábio Soto <fabio (at) andradesoto.com (dot) br [email concealed]> wrote:
> In my experience that's true... I've already discovered and developed exploits to unknown vulnerabilities during pentesting.
>
> As nessus is a "knowledge base" driven tool, it cannot discover vulnerabilities which aren't in its base.
>
> Some Blind Sql injections, buffer and heap overflows will not be covered by scanning tools. Social engeneering will not be covered as well ;)
>
> About the glorified repackaged scans, that is indeed a really sad reality... :(
>
> On 19/12/2011, at 21:48, Todd Haverkos <infosec (at) haverkos (dot) com [email concealed]> wrote:
>
>> Fábio Soto <fabio (at) andradesoto.com (dot) br [email concealed]> writes:
>>
>>> Nessus or any other scanning tool will give too much false
>>> positives, or fail to detect many vulnerabilities.
>>
>> That's not true in my experience if credentialed scanning is used,
>> unless you're highlighting that scanners do poorly against web app
>> vulns.  Passive vulnerability scanning is not prone to false positives
>> either, for what it's worth.
>>
>>> Probably you'll need some professional pentesting services.
>>
>> Which at the low and unethical end are glorified repackaged Nessus or
>> [insert other vuln scanner] scans (sad to say).
>>
>> Best Regards,
>> --
>> Todd Haverkos, LPT MsCompE
>> http://haverkos.com/
>>
>> ------------------------------------------------------------------------

>> Securing Apache Web Server with thawte Digital Certificate
>> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>>
>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>> ------------------------------------------------------------------------

>>
>
> ------------------------------------------------------------------------

> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------

>

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]