You can't secure what you don't acknowledge.SM

Thursday, July 18, 2013

Authenticated vulnerability scan pains...Rapid7 to the rescue.

Apparently the folks at Rapid7 have people working on their Nexpose team that have actually performed security assessments for a living. You see, Nexpose has this seemingly trivial feature that can create a world of difference in the life of a security practitioner - it's part of the Site Configuration (i.e. scan settings) called Test Credentials as seen in the following screenshot:
Sanity brought about by people who use their own tools in real-world tests

Yep, with Nexpose you can actually test your login credentials before running authenticated vulnerability scans. Imagine that! The last time I remember seeing this feature was in Harris Corporation's STAT scanner about 10 years ago. Now, granted, I haven't used *every* vulnerability scanner out there but why don't we see this feature more often? Is it that difficult to implement programatically? Am I alone in the quest to work more efficiently?

Please, the common response of "Just because you can login doesn't mean you have the privileges to get the results you need" won't cut it...


It's clear - the payoffs of being able to test login credentials in a vulnerability scanner are huge. Some benefits include:
  • confirmation, in advance (key phrase: in advance), that your authenticated scans will actually run
  • less time spent waiting to see what vulnerabilities lie behind the login prompt (there's a LOT more than meets the eye)
  • no reduction in your available scan count (if you happen to be using a tool that charges on a per-scan basis)
  •  no time spent re-running scans (this can be worth hours of time, hassle, and embarassment)
  •  less cussing

I know...it seems trite and many vendors have shown that they're not interested in making such basic improvements to their scanners. I'm sorry - time is money. Given the all the complexities and pressures associated with performing security testing today, the last thing you need is a tool that actually creates more work.

Nexpose saves the day on this one. Kudos Rapid7. Whoever was responsible for this feature, I want to hug their neck.

Tuesday, July 16, 2013

Never forget this

Although we strive to get others on our side, here's a good reminder from the late Richard Carlson that applies to IT and information security that we should always keep in mind:

"The sooner we accept the inevitable dilemma of not being able to win the approval of everyone we meet, the easier our lives will become".

Speaking of building your confidence and independence, here are some new articles I've written that can help:

Four steps to become a leader in IT problem-solving

Prioritize your IT tasks and finally conquer your to-do list 

Working in IT? Simple steps to get users on your side

In IT planning, try zero-based thinking

Getting hired in IT: How to stand out

As always, check out my website for links to all of my other information security-related content.
Much more to come on web and mobile security testing...It's what I love doing and I've learned a tremendous amount while doing it over the past decade.

In the meantime, check out my website for links to all of my other information security-related content.


Cheers! - See more at: http://securityonwheels.blogspot.com/#sthash.rbih1iU4.dpuf
Much more to come on web and mobile security testing...It's what I love doing and I've learned a tremendous amount while doing it over the past decade.

In the meantime, check out my website for links to all of my other information security-related content.


Cheers! - See more at: http://securityonwheels.blogspot.com/#sthash.rbih1iU4.dpuf
Much more to come on web and mobile security testing...It's what I love doing and I've learned a tremendous amount while doing it over the past decade.

In the meantime, check out my website for links to all of my other information security-related content.


Cheers! - See more at: http://securityonwheels.blogspot.com/#sthash.rbih1iU4.dpuf

Monday, July 15, 2013

Infosec-related quote that strikes a chord

I always love bringing philosophy, leadership, and personal responsibility into the information security discussion and here's one of the best quotes I've come across that resonates across all industries and businesses large and small:

"To see what is right and not do it is a lack of courage." - Confucius


What can you say to that...?

Let this be the fire within that you use to get (and keep) the right people on your side with security the second half of the year so you can have a stellar 2014.