Re: nessus exceptions

From: Stefano Zanero (stefano.zanero@ieee.org)
Date: Tue Aug 10 2004 - 12:46:38 EDT


FocusHacks wrote:

> Indeed, most pen-testers will disclose what tools they use and the raw
> output of these tools if you ask. Especially if you let them know
> before the testing starts, that you'll want this information.
>
> It would be sad if your assessment team is doing little more than
> cleaning up and adding documentation to a nessus scan report. :(

It seems to me that we are mixing up again two VERY different things:
vulnerability assessment and pen-testing.

If a pen-testing company just uses nessus it shouldn't be difficult to
spot, because nessus is NOT going to give out a pen-test report, in no
way :)

So we have to assume that we are talking about VULNERABILITY ASSESSMENT
companies... and the question actually is, how many of the "commercial
vulnerability scanners" out there are not actually based on Nessus ? :)

Stefano



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT