I have looked at it. How many of the nessus plugins actualy reference them? Out of 1002 scripts, 318 reference CVE entries. My point is that use of such things is pretty weak. We can do a lot better. When I do a job, I have to track down information from dozens of places and figure out if this vulnerability really is a vulnerability (assumptions of the script), is this client really vulnerable (assumptions of the script), and exactly which CVE etc vulnerability it is (lack of information in the script), and what do I really need to advise the client to do to fix it.
Everyone is building their own little scanning tool and there isn't much collaboration. Lately the false positive SNR and the false negative SNR is petering. How can you trust results when they differ from scan to scan, when you get a lot of security holes for product ABC when such a product doesn't even exist? Nessus v.s. Cybercrap^H^Hcop v.s. Retina v.s. etc, each has tests which are very accurate and each has tests which are very inaccurate and they don't parallel. As for standards in reporting, why does scanner ABC say something is critically important but scanner DEF says it's trivial? Some of the tests in nessus report things as really important but then trivialize it in the description and vice versa. The Queso detection is horribly inaccurate but that is what's used in nessus to determine what OS is running. This too varies from scanner to scanner. Does anyone have a publically referencable database of signatures for OS detection? Of the ones available, do any products share them? Everyone picks their own priorities on tests and results and everyone is interpreting them with sometimes very significant differences. It isn't just plugins that needs commonality, it's the whole process. We the tester suffer the angst of the client because the client argues that your results don't match the previous contractor. Who are they going to believe when everybody gives them something different? How can we argue our case when we know our stuff isn't rock solid? David Thomas Reinke wrote: >CVE IDs. They are available out of Nessus. The CVE db is >supported by MANY vendors. The CVE db has lots of resources. >Check cve.mitre.org. > >People _are_ making an effort to standardize plugin IDs, >and it is happening. You just have to know where to look. > >Thomas > > > >
