I think you're oversimplifying things a little. Comments inline. > > But there's also another way to look at the original > comment...security is a process. Running a vulnerability > scanner isn't a process...it's a point-in-time check, a > snapshot.
But running a security scanner could well be part of that process. Part of the security management process is assessing what you have and why it's like it is. A security scan could well indicate areas where your process and policies could be improved. Sure, a vulnerability scanner is a point in time check, but it's one way to help you identify what your current state is. If you don't know that your process is faulty, you don't stand a chance. A good IT security auditor won't focus on the fact > that certain systems have vulnerabilities...he or she will > focus on *why* they have the vulnerabilities. That's a really good point, and does need to be considered. However, if the auditor doesn't know that there *are* vulnerabilities, how will they know to look for the *why*? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
