how does Nessus scanner write plugins for the latest CVE’s that don’t have a public exploit? in order to identify the vulnerabilities in the network. does it do banner matching with the available CVE ?
In some cases a version check will be done using either local or remote detection to verify if the target version is vulnerable.
In other cases a security researcher will work on developing a proof of concept based on the vulnerability description.
Related
After pentesting and checking the check-list, how can I reassure my client that these checks are done and vulnerabilities patched? (of course for something like sqli, showing is obvious)
But I mean somewhere to verify or something like this?
Thanks
For test checks that are done you can provide different reports generated by tools or manual testing (depending on vulnerability type) for those specific checks.
While for patched vulnerabilities, you will need to re-test the platform again and provide the changed reports either generated from tools or manual testing that will show different output by indicating the vulnerability is no longer present.
For further re-assurance you can also add the vulnerability exploitation reproducing steps on the report. So if the client wants to test it themselves they can do it (and get assured that it was fixed).
You need to describe all methodologies used like OSSTMM, OWASP, NIST. Is very important too talk about the perimeter tested (web like forms, api, frameworks, network protocols,etc).
However, you can create a topic every step tested using Top10Owasp:
Broken Authentication
Sensitive data exposure
XML External Entities (XXE)
Broken Access control
Security misconfigurations
Cross Site Scripting (XSS)
Insecure Deserialization
Using Components with known vulnerabilities
Insufficient logging and monitoring
This way you ensure that your test was compliance.
Trying sonarqube 6.0
Hi sonarqube experts
I've used the sonar.exclusion in the past, but its all-or-nothing kind of deal.
Given the following sections in the sonarqube dashboard:
Reliability
Security
Maintainability
Duplications
Size
Complexity
Documentation
Issues
Is there a way to cross-filter selected directorys (such as those containing thirdparty javascript libraries) so they are excluded except for Security as an example?
Usecase is to, when configuring Quality Gates, to not worry about maintainability of thirdparty javascript libraries, but to very much worry about their vulnerabilities.
Behind this request, I've the feeling that you're looking for a tool able to detect usages of API with known MITRE-CVE vulnerabilities. If this is the case, then SonarQube won't be of any help you covering this need.
I need some help here. In my current project we are replacing a Host Intrusion Prevention Software (HIPS) and I need to do performance testing on its server. Wondering if you can throw some light on what type of performance testing can be done on the server and also what kind of comparison test I can do wrt perf test for already existing HIPS server?
It depends on what you are trying to achieve, actually. Are you guys developing a Host Intrusion Prevention Software or just replacing an existing one for another from other vendor or version?
As your topic says you want to do performance testing, I will ignore all the functional testing and security testing you could do.
One thing I think you can measure is the resource consumption by the HIPS, you could compare with the previous version to know if it will need a more robust host than you actually have or if it will have some performance impact over the other applications running in the same host.
Can someone clearly state the difference between running a nessus scan with/out credentials? What would happen if i scan a unix based system with no credentials and about the same time using ssh account?
How would the results differ> And in what occasions one is preferred over other
Credentialed scanning is preferred to non-credentialed scanning as it is able to run scripts that are executed on the host machine in order to directly identify versions or software that might be vulnerable as well as to check for vulnerabilities that might me present. A non credentialed scan basically makes educated guesses based on network banner grabs and TCP/IP stack information that it observes, in order to find out what vulnerabilities are present.
An uncredentialed scan is equivalent to running around a house and checking the locks on the doors/windows by attempting to open it. On the other hand, a credentialed scan is like having the key to the house, so that you can examine the locks from the inside of the house and see what type of lock it is, whether it is susceptible to vulnerabilities or not, and who has a copy of the keys.
Credentialed scans provide much more information on the systems but require much more coordination and effort then a simple non credentialed scan. It also requires a level of trust between the scanning host and the target host.
You might want to go ahead with Unauthenticated scans in case of Black-box testing, where you have no information about the target in your scope. This may lead to a lot of False Positives.
However, in case of White-box/Grey-box testing, you should go ahead with Credentialed scans. This will also rule out the possibilities of getting false positives and will give a comprehensive report of findings
I just started using subclipse for my class projects after a re-writing half of a project due to going off on the wrong logical branch. Since I'm using it on my home systems, I have a couple questions whose answers I haven't found in searching.
Say I have local separate repositories on my computers. First, can I use a file sync to keep them synced until I figure out what I need to do to access the university's network? (aside- only information available is about accessing the network remotely is thru PUTTY and FTP, which are not valid URL strings)
Second, in the same local system, am I correct in that once I check out a project and apply commits regularly, I don't have to keep checking out the project?
I ended up using SlikSVN for hosting the repository, since it is free for <100MB storage, which is perfect for my classwork. Also, I don't have to bother with tunneling through the school's network.
You can access SVN repositories via ssh, using urls of the form:
svn+ssh://me#myhost.com:/mypath/to/repo
From the sounds of things with you saying you have 'putty' access this should be very possible.
I would avoid the "separate local repositories" route as much as possible since keeping them in sync introduces problems that having one, definitive location for the whole repository avoids..