[Owasp-boston] 2 Questions about Jim's Presentation last week

Laverty, Patrick Patrick_Laverty at brown.edu
Mon Nov 23 08:34:09 EST 2009

And they're both about the same statement.


Jim stated that the scanners will "Only going to find 10 - 20% of vulns
- low hanging fruit"


My two questions are:

1.      How do we know that they will only find that number?  If we know
they're missing 80-90%, how did we find them to count those that were

2.      I've read that the most effective and thorough scanning is to
get 4-5 different scanners and use them all, as they will find some
different vulnerabilities.  Has anyone done this?  What did you find
when you look at all the data from multiple scanners and how varied are
they at finding different true positive results?


Thank you!






-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-boston/attachments/20091123/bbb0bf74/attachment.html 

More information about the Owasp-boston mailing list