If you want to perform possibly destructive web audit scans on production systems, that is fine.
I think you are taking what I said and making an overly-general statement about any kind of security scanning. On Wed, Oct 1, 2014 at 10:21 AM, Reindl Harald <h.rei...@thelounge.net> wrote: > > > Am 01.10.2014 um 16:52 schrieb Brandon Perry: > > I agree that utilities like dirb and nikto are useful as plugins for > OpenVAS since these are generally applicable > > to any web server. > > > > Arachni and wapiti require such application specific configurations that > I wouldn't want to give people using > > OpenVAS the idea that running arachni through OpenVAS is as good as > running it independently. Both are very > > powerful (particularly arachni), but I do think they almost serve a > different purpose than OpenVAS in that OpenVAS > > in my mind is about finding and remediating known vulnerabilities such > as missing patches and a /backup folder on a > > web server. > > > > Finding SQL injections and XSS should be in the development lifecycle, > not the patch management and insecure > > configuration discovery > > no - finding SQL injections and XSS is *by definition* the purpose of a > security scan > > > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website
_______________________________________________ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss