Wednesday, December 27, 2006

Maybe I'm not too far off

Ok, so maybe my previous posting wasn't too crazy. Just came across a nice little piece named "Vulnerability Assessment is dead, can I sell you a scanner?" by Alan Shimel of StillSecure. Seems that they actually have products that play in the space I figured ought to exist, only they take it a little further with NAC as well.

I'm not sure I buy the argument that NAC is the next step, given that NAC solutions haven't been proven to be what you'd call reliable or even workable. See - "Bypassing NAC Solutions". Its by a NAC vendor so YMMV, but still makes some good points.

We could just stop running such crappy operating systems, applications, etc. Of course, as Jeremiah Grossman points out in - The future of web application vulnerability assessment is about scale - even if we weren't building on top of quicksand, we're still pretty much screwed.