Joe, My input on your question...
In an ideal situation, no. Vulnerability assessment tools will never replace the well-prepared and knowledgeable pen testing team...notice I did not say "person" or "individual". However, somewhere along the way you took the red pill and you're in the real world. Someone can put the right twist on the numbers and show that the licensing for ISS is much less costly than hiring X number of qualified pen testers...better to go with a commercial product like ISS with all of it's false positives and other issues, and have a bunch of low-paid, drunken monkeys run the tool. Or, hire one or two people to maintain an up-to-date version of Nessus, with some custom checks, and leave it at that. Cynical, perhaps, but I've been there, seen that, and got the t-shirt. In fact, you might even have already had customers who demand that the ISS products be used, so they can tell their customers and Board of Directors that they were scanned w/ ISS, and/or have RealSecure installed...regardless of the implementation, etc. When it comes to security, business decisions crowd out simple common sense... __________________________________________________ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/
