[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Top 15 Reasons Why Admins Use Security Scan ners

To: Harlan Carvey <keydet89@xxxxxxxxx>
Subject: RE: [Full-Disclosure] Top 15 Reasons Why Admins Use Security Scan ners
From: "Stuart Fox (DSL AK)" <StuartF@xxxxxxxxxxxxx>
Date: Thu, 29 Apr 2004 09:33:29 +1200

 
I think you're oversimplifying things a little.  Comments inline.

> 
> But there's also another way to look at the original 
> comment...security is a process.  Running a vulnerability 
> scanner isn't a process...it's a point-in-time check, a 
> snapshot.

But running a security scanner could well be part of that process.  Part of
the security management process is assessing what you have and why it's like
it is.  A security scan could well indicate areas where your process and
policies could be improved.  Sure, a vulnerability scanner is a point in
time check, but it's one way to help you identify what your current state
is.  If you don't know that your process is faulty, you don't stand a
chance.

  A good IT security auditor won't focus on the fact 
> that certain systems have vulnerabilities...he or she will 
> focus on *why* they have the vulnerabilities.

That's a really good point, and does need to be considered.  However, if the
auditor doesn't know that there *are* vulnerabilities, how will they know to
look for the *why*?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: RE: AW: [Full-Disclosure] no more public exploits
Next by Date: RE: [Full-Disclosure] Top 15 Reasons Why Admins Use Security Scan ners
Previous by thread: RE: [Full-Disclosure] Top 15 Reasons Why Admins Use Security Scan ners
Next by thread: RE: [Full-Disclosure] Top 15 Reasons Why Admins Use Security Scan ners
Index(es):
- Date
- Thread