http://crackingdrupal.com/taxonomy/term/35/0 en http://crackingdrupal.com/blog/greggles/application-security-beyond-scanner-monkey <p>Matt Fisher of <a href="http://www.piscis-security.com/">Piscis Security</a> gave a discussion about security beyond the "scanner monkey" phase. Scanner monkeys being people who run a scanner tool, get the output, and think they are done with a vulnerability assessment. There are more and more scanners - commercial, proprietary, and open source - and yet they are no longer good enough.</p> <ul> <li>The scanners only start the process, they don't end it.</li> <li>The person running the scanner is likely not talented enough to configure it properly.</li> </ul> <p>Perhaps the best quote from the presentation is "we don't fix cars by placing a screwdriver and wrench on the hood and hoping that things get fixed - we need talented people who use tools to fix things."</p> <p>So, utlimately this presentation suggested that scanners are a part of the solution and that ultimately we need:<br /> * Front end scanners, static code analysis<br /> * Interviews with the developers<br /> * Reviews with whomever manages the hardware/software of the application<br /> And on and on.</p> <p>It was clear what the takeaway was other than "you should work harder" which is certainly true, but not really motivating or useful to hear.</p> http://crackingdrupal.com/blog/greggles/application-security-beyond-scanner-monkey#comments penetration testing scanner monkey Fri, 13 Nov 2009 14:55:56 +0000 greggles 42 at http://crackingdrupal.com