• Authenticated vulnerability scan pains…Rapid7 to the rescue.

    18 Jul 2013

    Apparently the folks at Rapid7 have people working on their Nexpose team that have actually performed security assessments for a living. You see, Nexpose has this seemingly trivial feature that can create a world of difference in the life of a security practitioner – it’s part of the Site Configuration (i.e. scan settings) called Test Credentials as seen in the following screenshot:

    Sanity brought about by people who use their own tools in real-world tests

    Yep, with Nexpose you can actually test your login credentials before running authenticated vulnerability scans. Imagine that! The last time I remember seeing this feature was in Harris Corporation’s STAT scanner about 10 years ago. Now, granted, I haven’t used *every* vulnerability scanner out there but why don’t we see this feature more often? Is it that difficult to implement programatically? Am I alone in the quest to work more efficiently?

    Please, the common response of “Just because you can login doesn’t mean you have the privileges to get the results you need” won’t cut it…

    It’s clear – the payoffs of being able to test login credentials in a vulnerability scanner are huge. Some benefits include:

    • confirmation, in advance (key phrase: in advance), that your authenticated scans will actually run
    • less time spent waiting to see what vulnerabilities lie behind the login prompt (there’s a LOT more than meets the eye)
    • no reduction in your available scan count (if you happen to be using a tool that charges on a per-scan basis)
    •  no time spent re-running scans (this can be worth hours of time, hassle, and embarassment)
    •  less cussing

    I know…it seems trite and many vendors have shown that they’re not interested in making such basic improvements to their scanners. I’m sorry – time is money. Given the all the complexities and pressures associated with performing security testing today, the last thing you need is a tool that actually creates more work.

    Nexpose saves the day on this one. Kudos Rapid7. Whoever was responsible for this feature, I want to hug their neck.

Resources

view all

Client Testimonials

“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.

His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”

(IT managed services firm)
Read More

 

I’ve written/co-written 12 books on information security including:

 

Tags

application security appsec basics books careers censorship CISO CISSP cities compliance coronavirus covid-19 cybersecurity data breaches hacking Hacking For Dummies heads in sand health incident response information risk keynote speaker leadership macOS networked cameras passwords patching racing resilience Russian hacking SDLC security culture security leadership security program management security speaker selling security social engineering speaking engagements spec miata sql injection tiktok time management training vulnerability and penetration testing web security

© Copyright 2001-present, Principle Logic, LLC - All Rights Reserved.

For your convenience I accept