Now I know that Core Impact is a really cool tool, though I've not had a chance to play with it directly, but it's not always the right tool for the job.... Like in this case, we have a network manager who's using this as what looks like a vulnerability management tool and even saying you can give it to a junior engineer to use... D'oh!
Surely the best way as a network manager to do this is through patch management or vuln. scanning tools which you run regularly over your whole estate, not through pointing a Penetration testing tool at some servers...
No matter how many exploits Core have for their product they're never going to find as many holes as a tool that authenticates to the box and enumerates missing patches and security policy non-compliances..
Apart from anything else actually exploiting vulnerable services always runs a risk of crashing the service or indeed the server, which a patch scanning/security config scanning tool wouldn't.
The really bizarre part is that core actually use this as a case study on their site...
Here's a thought. If you look at large software providers code base, Microsoft, Oracle or Cisco (even though they're known as a hardware company all those switches and routers run software), you'll see that they've had vulnerabilities found in them, and for that trio a fair number.
Well now think about all the new vendors that spring onto the market with each new trend in the security market. This year it's NAC, in previous years it's been IDS, A-V and Anti-Spyware, Endpoint security... the list goes on.
Now here's the thing, I've never in reading the websites or promotional literature for security product providers heard them say anything about their development practices or methodologies, which need to be top notch to reduce the chances of vulnerabilities cropping up.
Obviously security flaws in any software can be bad.. but it your security software isn't securely developed you're in a whole load of trouble.
So next time you're going to buy some security software, don't just ask about all the whizzy features and how compliant it'll make you. Ask about their development practices, what code reviews are carried out, do they get external parties to validate their code, that kind of thing...
I was reading this article on Wired.com about this months Microsoft patches when something occurred to me.
Microsoft have done a huge amount of work on the security of their development practices and ensuring that there are fewer vulnerabilities in their products but what about "bought in" code?
The reason this occurred to me is that the one vulnerability from this months set that affects Vista is in some of the A-V technology that they've acquired with companies like Sybari.
So every time Microsoft buys a company and integrates their products into the existing Microsoft ones they potentially introduce a load of new vulnerabilities in code that probably won't have been through the same rigours as the internally developed code. This is especially relevant where they are integrating products in security sensitive areas of the operating system like A-V and Anti-Spyware.
Now Microsoft could of course re-write the codebase of any acquired technology before integrating it, but that would kinda' defeat the purpose of buying the company in the first place!
There's some information on a very nasty Solaris telnet vulnerability over at the Computer Defense blog.
Now hopefully this'll have limited impact 'cause all the solaris admins out there are running SSH already...
Doubt it though, I've heard quite a few unix/router guys argue against dropping telnet in the past, so there's probably quite a few boxes out there using it...
There's a really interesting posting at Visual Complexity that provides a good illustration of what I think Microsofts main remaining problem in regards to security is.
MS have done tons of work in improving their code quality, improving their default builds and adding features like Address space layout randomization (ALSR) to make hacking into their products harder.
The one area that's left is complexity. Ultimately the more code that is installed on a system the more code there is to be attacked, either remotely or locallly. what the graphs from visual complexity show is that for web servers IIS on windows has more potentially active code that Apache on Linux.
Hopefully some of the other stories that have surfaced recently will lead to the possibility of having a very stripped down Windows OS if you need it...
here's an interesting list of online security scanners.