Web Vulnerability Analysis the Wrong Way

I’ve added Kevin Lam’s blog at Impacta to the list of blogs I regularly follow. In a recent entry, he blogs that he’s been seeing companies use the same company that designed their website to perform their web pen test.
I think it is possible for a company to be great at both things. But you’d have to trust them an awful lot to believe you were getting a fair deal. In this instance, the part that jumped out at me more was their “pentest” basically consisted of running some vulnerability scanners. His scan on the other hand used custom tools they developed and manual techniques.
I’m reminded of something Dave Aitel posted recently on the Daily Dave. That is some cool detail a consultant running the standard vuln scanner just isn’t going to know.
The funny thing is the original company performing the vulnscan fulfilled their mission. They checked a PCI checkbox, and missed a handful of SQL injection, XSS and blatant configuration issues.


Comments are closed.