lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8654C851B1DAFA4FA18A9F150145F925D9C1C5@fnex01.fishnetsecurity.com>
From: Arian.Evans at fishnetsecurity.com (Evans, Arian)
Subject: RE: Another Low Blow From Microsoft: MBSA Failure!

 Drew,

> I apologize for alienating these users.

Clarification appreciated. As someone who has used Retina for years,
and performs vulnerability assessment and incident response for a living, I
share your concerns about the quality of MBSA (and appreciate the things
that Retina does well in this area).

However, we too have clients that cannot afford comprehensive assessment
services or even their own licenses for the assessment tools we use.

Recommendations must always be kept in business/organizational context.

> To such users: please start using the free Nessus tool. Use MBSA as a
> back-up. Check in-person on any suspicious anomalies.

Nessus has its' strengths and weaknesses, and is beyond the technical
capability of some clients to use _effectively_.

MBSA provides useful information outside the scope of Nessus, such as
configuration checks that are consistently accurate for the OS, and information
regarding MS-recommended configs for certain app severs. Understanding
MBSA's limitations and RTM is the key here; I'd hate to discourage someone
from using it due to the risk of false positive/negative information discussed
in this thread, if they currently do nothing at all (or cannot afford otherwise).

The combination of the free MS tools MBSA and SUS are a powerful audit
and patch management solution for the cost. I highly encourage MS shops
to use these unless they have or can afford better commercial solutions
(and there are _many_, Retina being a good VA/audit upgrade example).

Read the documentation well, the release notes on the patches, and with
some time spent manually validating MBSA's findings, you'll identify and
be able to account for the weaknesses in MBSA.

Nota Bene: MBSA is an *audit* tool, not a *vulnerability scanner*.

I do not use MBSA as an assessment tool, would not, and we do not use
it internally at FishNet Security. We do evaluate new releases as part of
our assessment services, to decide if it is an efficacious recommendation
for those clients that fall in the MBSA/SUS cost/benefit category, hence
my response.

[no control over attached auto-disclaimer] </sorry>

Arian Evans
Sr. Security Engineer
FishNet Security

Phone:  816.421.6611
Toll Free:  888.732.9406
Fax:  816.421.6677

http://www.fishnetsecurity.com

note: Microsoft Office XP breaks text-based
email by default.

Turn off the "remove extra line breaks" located
at |Tools|Options|Email Options if this formats
incorrectly.

The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ