[rescue] Do you remember when? Security software.....

[Kevin]

I agree here on both counts.  You cannot do an efficient audit of your own policies and security.  That in and of itself would be a controls violation (not sure if you guys are public or not, so it might not be illegal but it's still not considered good practice.)  You can of course do your own work so that your outside auditors don't find much to report.

Secondly, as Walter stated, just using these apps doesn't make you good or bad.  They are tools, used well they work well, used poorly they work poorly.  The final report and explanations would be the deciding factor.  I use these tools all the time during security audits for outside companies but the report outputs are never more than 10% or so of the final report.  Most security issues are not technical ones anyway, most are controls issues, and no software i know of can check for that.

/KRM

On Fri, 8 Aug 2003 19:11:58 +0200
Walter Belgers <walter+rescue at belgers.com> wrote:
> 
> You cannot do a good security audit on your own network..
> 
> > recognizing the software that they are running. So can anyone though out any
> > good software packages in this area? Also some good intrusion detection
> > software wouldn't hurt also. 
> 
> If they run the tools above, they are not necessarily frauds. If the
> report they write is basically a nessus output then yes, they're frauds.
> If you want to prevent frauds coming in, why not ask the company for a
> sample report and see what their modus operandi is?