Am 01.10.2014 um 17:40 schrieb Brandon Perry: > If you want to perform possibly destructive web audit scans on production > systems, that is fine.
surely because better i do at a scheduled point in time and with a recent backup or some bad guy unasked for what purpose do i need a security scan to apply updates which are already available - my OS can that alone frankly if you really fear that a security audit destructs your data then ask yourself if you should not shutdown the machine because you already suspect it to be vulnerable there where i work customers hire security specialists for penetration testing and you have to agree with that or lose the customer if they find something critical like SQL injections, XSS or bad SSL configurations you have 24 hours to fix it or shutdown the website without any but or if - the purpose of a own security scan is to find things *before* they do and avoid the complaints and stress from outside > I think you are taking what I said and making an overly-general statement > about any kind of security scanning. > > On Wed, Oct 1, 2014 at 10:21 AM, Reindl Harald <[email protected] > <mailto:[email protected]>> wrote: > > > > Am 01.10.2014 um 16:52 schrieb Brandon Perry: > > I agree that utilities like dirb and nikto are useful as plugins for > OpenVAS since these are generally applicable > > to any web server. > > > > Arachni and wapiti require such application specific configurations > that I wouldn't want to give people using > > OpenVAS the idea that running arachni through OpenVAS is as good as > running it independently. Both are very > > powerful (particularly arachni), but I do think they almost serve a > different purpose than OpenVAS in that OpenVAS > > in my mind is about finding and remediating known vulnerabilities such > as missing patches and a /backup folder on a > > web server. > > > > Finding SQL injections and XSS should be in the development lifecycle, > not the patch management and insecure > > configuration discovery > > no - finding SQL injections and XSS is *by definition* the purpose of a > security scan
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
