From: H Carvey (keydet89@yahoo.com)
Date: Thu Aug 05 2004 - 13:27:49 EDT
>This plan has a flaw: what if they don't detect the holes? It gives
>you no information about whether or not they use anything besides
>Nessus; it only tells you that they didn't detect the hole.
>
>A better plan might be to ask them which portions of their output
>came from tools other than Nessus.
I like Foofus's approach. I've been involved with far too many audits and assessments (from both sides), where this technical approach to foiling or fooling the auditor ends up blowing up in your face.
If you're concerned about the tools that are used, sit down with the testing company and ask them. They should tell you.
Are you concerned that the testing company is using only one tool? Tools like this are only as good as the person who uses them. Do the testers understand the NASL scripts? Have they written their own custom scripts? If so, have any of these scripts been released back to the community (so that you can verify it)? Having a clueless operator run ISS and Nessus, rather than just one, really doesn't give you much.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT