> On 6/23/2012 2:49 AM, Sachin Murudkar wrote: > > I have install openvas successfully on a Linux system but the reports > doesn't seem to be up to date as I am able to found hardly 1 or 2 high > vulnerability. where as other vulnerability applications gave me more > results
One thing to compare is what's being considered a "vulnerability." While I haven't run OpenVAS yet (installation problems here, but I'll get back to it) I've run trial versions of commercial alternatives, and they are ridiculous in what they consider vulnerabilities. They'll say, "You're running Apache xx.yy, so you're vulnerable to this and that," where this and that aren't actually in your Apache configuration, and are in modules virtually nobody uses, or "You're running OpenSSH xx.yy, so you've got these vulnerabilities," when these vulnerabilities were long-ago patched by the distros you're using, which you've kept up to date. In short, the commericial vulnerability scanners earn their price by enabling consultants to appear to be useful by running them without any real understanding and printing out nice reports for their clients implying the clients' tech staff are idiots who've left them exposed, all based on inferences which are, assuming competent tech staff who've kept their systems patched, flimsy at best. And I say this after taking the reports from the commercial product quite seriously, tracing every claimed vulnerability back to its sources, and then checking that the distros and configurations we use in fact either patch or avoid them. They were all false positives. Having a long list of vulnerabilites from a scanner doesn't necessarily show the scanner's doing its job. It can show that the scanner throws far too many false positives, which in security as in medicine can be a danger in itself, since when trying to fix things which aren't broken we often do break something, whether we're techs or physicians. Whit _______________________________________________ Openvas-discuss mailing list [email protected] http://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
