2016-006-Moxie_vs_Mechanism-Dependence_On_Tools

This week starts with an apology to Michael Gough about comments I (Bryan) mangled on the "Anti-Virus... What is it good for?" podcast. Then we get into the meat of our topic...
Automation is a great thing. It allows us to do a lot more work with less personnel, run mundane tasks without having to think about them, and even allow us to do security scans on web applications and assets in your enterprise.
But is our dependence on these tools making us lazy, or giving us a false sense of security? What is the 'happy medium' that we should find when deciding to spend the GDP of a small country for the latest compliance busting tool, or spend the necessary Operational Expenditure (OpEx) for a couple of junior personnel or a seasoned professional.
Mr. Boettcher and I discuss over reliance, blindly trusting results, and what can happen when you have too much automation, and not enough people around to manage those tools.

Here is a new episode of Brakeing Down Security Podcast!

#13: Vulnerability Scanners -- Episode 2

Episode 2 podcast

It's an odd thing editing audio. Some people make it look so easy. It helps having only two people on the podcast. This is not my first podcast to be on. My other podcast "Major Technicality", I am merely a contributor. And Jared, our producer, and co-host, spends several hours making everything sound just so.

Anyway, the audio will sound better on this one. Mic levels were dialed in, audio was normalized, and the crackling in the Intro is gone.

I really had a good time talking about vulnerability scanners. It's hard to believe that they've been around for over 20 years, and yet they haven't changed all that much. They still use concepts like banner grabbing, port scanning/knocking, and best guesses to scan a system for vulnerabilities. They should never be used as an end all be all, and truly on taken with a grain of salt.

Question all findings, trust nothing...

Next Friday, we'll be flush from our monthly ISSA meeting, which Michael Gough, from MI2 Security, will be discussing malware infection, and we are hoping to be able to get a few minutes with him. We'll have the interview spliced into the podcast, and we'll be able to continue our discussion about malware. Our first Interview! SQUEEEE!

I would have loved to speak about the other web application security scanners, but I really have only used Burp Suite. Brian and I will be attending SEC542 at the SANS convention 3-8 February in Austin, and we will definitely have one or more podcasts about web application pentesting and security assessment of websites.

Here are the show notes for this week:

Episode 2 show notes