| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Feb 2004 13:34:09 -0600 From: "Evans, Arian" <Arian.Evans@...hnetsecurity.com> To: "Drew Copley" <dcopley@...e.com> Cc: <dotsecure@...hmail.com>, <full-disclosure@...ts.netsys.com>, <bugtraq@...urityfocus.com> Subject: RE: Another Low Blow From Microsoft: MBSA Failure! Drew, > I apologize for alienating these users. Clarification appreciated. As someone who has used Retina for years, and performs vulnerability assessment and incident response for a living, I share your concerns about the quality of MBSA (and appreciate the things that Retina does well in this area). However, we too have clients that cannot afford comprehensive assessment services or even their own licenses for the assessment tools we use. Recommendations must always be kept in business/organizational context. > To such users: please start using the free Nessus tool. Use MBSA as a > back-up. Check in-person on any suspicious anomalies. Nessus has its' strengths and weaknesses, and is beyond the technical capability of some clients to use _effectively_. MBSA provides useful information outside the scope of Nessus, such as configuration checks that are consistently accurate for the OS, and information regarding MS-recommended configs for certain app severs. Understanding MBSA's limitations and RTM is the key here; I'd hate to discourage someone from using it due to the risk of false positive/negative information discussed in this thread, if they currently do nothing at all (or cannot afford otherwise). The combination of the free MS tools MBSA and SUS are a powerful audit and patch management solution for the cost. I highly encourage MS shops to use these unless they have or can afford better commercial solutions (and there are _many_, Retina being a good VA/audit upgrade example). Read the documentation well, the release notes on the patches, and with some time spent manually validating MBSA's findings, you'll identify and be able to account for the weaknesses in MBSA. Nota Bene: MBSA is an *audit* tool, not a *vulnerability scanner*. I do not use MBSA as an assessment tool, would not, and we do not use it internally at FishNet Security. We do evaluate new releases as part of our assessment services, to decide if it is an efficacious recommendation for those clients that fall in the MBSA/SUS cost/benefit category, hence my response. [no control over attached auto-disclaimer] </sorry> Arian Evans Sr. Security Engineer FishNet Security Phone: 816.421.6611 Toll Free: 888.732.9406 Fax: 816.421.6677 http://www.fishnetsecurity.com note: Microsoft Office XP breaks text-based email by default. Turn off the "remove extra line breaks" located at |Tools|Options|Email Options if this formats incorrectly. The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists