Apparently the folks at Rapid7 have people working on their Nexpose team that have actually performed security assessments for a living. You see, Nexpose has this seemingly trivial feature that can create a world of difference in the life of a security practitioner – it’s part of the Site Configuration (i.e. scan settings) called Test Credentials as seen in the following screenshot:
Yep, with Nexpose you can actually test your login credentials before running authenticated vulnerability scans. Imagine that! The last time I remember seeing this feature was in Harris Corporation’s STAT scanner about 10 years ago. Now, granted, I haven’t used *every* vulnerability scanner out there but why don’t we see this feature more often? Is it that difficult to implement programatically? Am I alone in the quest to work more efficiently?
Please, the common response of “Just because you can login doesn’t mean you have the privileges to get the results you need” won’t cut it…
It’s clear – the payoffs of being able to test login credentials in a vulnerability scanner are huge. Some benefits include:
I know…it seems trite and many vendors have shown that they’re not interested in making such basic improvements to their scanners. I’m sorry – time is money. Given the all the complexities and pressures associated with performing security testing today, the last thing you need is a tool that actually creates more work.
Nexpose saves the day on this one. Kudos Rapid7. Whoever was responsible for this feature, I want to hug their neck.