Apparently the folks at Rapid7 have people working on their Nexpose team that have actually performed security assessments for a living. You see, Nexpose has this seemingly trivial feature that can create a world of difference in the life of a security practitioner – it’s part of the Site Configuration (i.e. scan settings) called Test Credentials as seen in the following screenshot:
Yep, with Nexpose you can actually test your login credentials before running authenticated vulnerability scans. Imagine that! The last time I remember seeing this feature was in Harris Corporation’s STAT scanner about 10 years ago. Now, granted, I haven’t used *every* vulnerability scanner out there but why don’t we see this feature more often? Is it that difficult to implement programatically? Am I alone in the quest to work more efficiently?
Please, the common response of “Just because you can login doesn’t mean you have the privileges to get the results you need” won’t cut it…
It’s clear – the payoffs of being able to test login credentials in a vulnerability scanner are huge. Some benefits include:
I know…it seems trite and many vendors have shown that they’re not interested in making such basic improvements to their scanners. I’m sorry – time is money. Given the all the complexities and pressures associated with performing security testing today, the last thing you need is a tool that actually creates more work.
Nexpose saves the day on this one. Kudos Rapid7. Whoever was responsible for this feature, I want to hug their neck.
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”