next up previous contents
Next: Competition Up: The Future of Security Previous: The need for better   Contents

Automation of vulnerability testing and pen-testing

\includegraphics[height=2cm, width=2cm]{nessus.eps}
\includegraphics[height=2cm, width=2cm]{saint.eps}
\includegraphics[height=2cm, width=2cm]{satan.eps}

To make the pen-tester's life easier, a new type of security software has been developped : Vulnerability Scanning tools. The most famous ones are Nessus[12], Saint[13], and Satan. Those software automate the research for vulnerabilities on systems by scanning their ports and matching the results with their knowledge database. That makes such programs able to detect potential threats to the system/network.

Figure 3: Vulnerability Scan Process
\includegraphics[scale=0.5]{scan.eps}
The *problem* is that such softwares are really easy to use and could be seen as a rival to human pen-testers, because that enables network administrators to perform such tasks. Nevertheless this is quite idealistic and almost foolish considering that such softwares are limited to scanning and that their power depends on their database. What's more, they're just programs and can be blind to evident weaknesses (for example, a password in cleartext at the prompt of an FTP server).

\includegraphics[height=1cm, width=3cm]{ci.eps}

But lately, CORE SECURITY TECHNOLOGIES have developped a brand new type of tool : an Intrusion Automation System[14, Core Impact]. This software scans for vulnerabilites AND tries to hack into the machines. If it succeeds, it tries to infect other machines (a bit like a virus), so it does more or less the same thing as a pen-tester (in fact, it uses the same pen-testing algorithm described above).

Still, even if such software is much more powerful and intrusiv, it can't replace a pen-tester IMHO for the same reasons as I mentionned for vulnerabilities scanners, so all those tools are much more helping the pen-tester than being a replacement solution.


next up previous contents
Next: Competition Up: The Future of Security Previous: The need for better   Contents
Christian Vincenot 2004-04-12