It is a common misconception that “vulnerability scanning” is the same as a vulnerability
assessment. Vulnerability scanning is usually someone with a software package that is
preconfigured to provide reports on whatever is scanned.
Given the immense heterogeneity of most corporate networks, one piece of software will
never find all the issues in the Testing Trees below. Moreover, the landscape of
vulnerabilities and flaws in operating systems, databases, routers, firewalls, IDSs and
applications changes daily. To trust in the capabilities of one tool is to be blind to
anything that the tool is not configured or updated, to find.
This is not to say that tools are not part of a Security Auditor’s toolkit. Performing
security testing is augmented by software, and time-intensive tasks can be shortened with
the right tools. There is no software substitution, however, for experience.
Vulnerability assessments and penetration testing cannot be fully automated without loss
of confidence in the comprehensiveness of the results. There are simply too many aspects
of a network to test with one tool. Security testing is time-intensive, and requires
experience in technology and expertise about security on the part of the performing
Auditor.
assessment. Vulnerability scanning is usually someone with a software package that is
preconfigured to provide reports on whatever is scanned.
Given the immense heterogeneity of most corporate networks, one piece of software will
never find all the issues in the Testing Trees below. Moreover, the landscape of
vulnerabilities and flaws in operating systems, databases, routers, firewalls, IDSs and
applications changes daily. To trust in the capabilities of one tool is to be blind to
anything that the tool is not configured or updated, to find.
This is not to say that tools are not part of a Security Auditor’s toolkit. Performing
security testing is augmented by software, and time-intensive tasks can be shortened with
the right tools. There is no software substitution, however, for experience.
Vulnerability assessments and penetration testing cannot be fully automated without loss
of confidence in the comprehensiveness of the results. There are simply too many aspects
of a network to test with one tool. Security testing is time-intensive, and requires
experience in technology and expertise about security on the part of the performing
Auditor.
No comments:
Post a Comment