Do we know anything about security?

A recent thread labeled “vulnerability solution” on the SecurityFocus WebAppSec mailing list provides an insight into how much we know or care about information security. Mohamed Ali Ahmed asked a simple question. Somewhat paraphrasing his question, he wanted to find a vulnerability scanner that covers multiple use cases: applications, web applications, databases and platforms.

While the question is simple, the answer is far from simple as each one of these scanning domains requires a very different domain expertise. A good example would be the initial scan, or attack surface discovery phase: while a network based platform scanner just tries a range of IP addresses and ports, a web application scanner has to know how to crawl a web application, taking into consideration RESTful interfaces and client side AJAX logic.

On a broader view, the goal of each one of those scanners is different: a platform scanner essentially looks for missing patches and misconfiguration, a database scanner does the same but focuses on misconfiguration while patches are only secondary, while a web application scanner adds the all-important attempt to detect yet unknown and unpatched vulnerabilities. Lastly, I am yet to see a tool that expands effectively on the premise of a web application scanner to applications in general, trying to find unknown vulnerabilities in any appliaction, unless of course source code scanning is added to the mix.

So back to Mohamed question: the answer is that no one tool would suffice and that one has to carefully select a tool for each one of the tasks.

However out of the dozen or so people that answered only a small minority addressed this challenge. My favorite answer is Mustafa Qasim’s “Why do people look for such magic lamp?”. However Mustafa is very much in the minority. The prominent recommendation was Nessus. While certainly a leading network based platform scanner, it has little value for scanning web applications. Most of the other recommendations were also for network based platform scanners, that I suspect perform just as poorly on web applications even if they claim to do so.

What can we conclude? That security practitioners understand little in what they do, for example running Nessus against web applications and dim them secure based on the (very lacking) results? Or alternatively, they just reply to questions without even reading the question in detail, making social media a nonsense? Neither of the options is comforting and my guess is that both are right.