Sanity brought about by people who use their own tools in real-world tests
Please, the common response of "Just because you can login doesn't mean you have the privileges to get the results you need" won't cut it...
It's clear - the payoffs of being able to test login credentials in a vulnerability scanner are huge. Some benefits include:
- confirmation, in advance (key phrase: in advance), that your authenticated scans will actually run
- less time spent waiting to see what vulnerabilities lie behind the login prompt (there's a LOT more than meets the eye)
- no reduction in your available scan count (if you happen to be using a tool that charges on a per-scan basis)
- no time spent re-running scans (this can be worth hours of time, hassle, and embarassment)
- less cussing
I know...it seems trite and many vendors have shown that they're not interested in making such basic improvements to their scanners. I'm sorry - time is money. Given the all the complexities and pressures associated with performing security testing today, the last thing you need is a tool that actually creates more work.
Nexpose saves the day on this one. Kudos Rapid7. Whoever was responsible for this feature, I want to hug their neck.
0 comments:
Post a Comment