• Authenticated vulnerability scan pains…Rapid7 to the rescue.

    18 Jul 2013

    Apparently the folks at Rapid7 have people working on their Nexpose team that have actually performed security assessments for a living. You see, Nexpose has this seemingly trivial feature that can create a world of difference in the life of a security practitioner – it’s part of the Site Configuration (i.e. scan settings) called Test Credentials as seen in the following screenshot:

    Sanity brought about by people who use their own tools in real-world tests

    Yep, with Nexpose you can actually test your login credentials before running authenticated vulnerability scans. Imagine that! The last time I remember seeing this feature was in Harris Corporation’s STAT scanner about 10 years ago. Now, granted, I haven’t used *every* vulnerability scanner out there but why don’t we see this feature more often? Is it that difficult to implement programatically? Am I alone in the quest to work more efficiently?

    Please, the common response of “Just because you can login doesn’t mean you have the privileges to get the results you need” won’t cut it…

    It’s clear – the payoffs of being able to test login credentials in a vulnerability scanner are huge. Some benefits include:

    • confirmation, in advance (key phrase: in advance), that your authenticated scans will actually run
    • less time spent waiting to see what vulnerabilities lie behind the login prompt (there’s a LOT more than meets the eye)
    • no reduction in your available scan count (if you happen to be using a tool that charges on a per-scan basis)
    •  no time spent re-running scans (this can be worth hours of time, hassle, and embarassment)
    •  less cussing

    I know…it seems trite and many vendors have shown that they’re not interested in making such basic improvements to their scanners. I’m sorry – time is money. Given the all the complexities and pressures associated with performing security testing today, the last thing you need is a tool that actually creates more work.

    Nexpose saves the day on this one. Kudos Rapid7. Whoever was responsible for this feature, I want to hug their neck.