Henry Dalziel | Hacker Hotshots, Pentesting Tools, Product Reviews, Resources and Tutorials | August 5, 2013
OpenVAS, the Open Vulnerability Assessment System, has a loyal community that are adamant about the usefulness of the program, and this post is an attempt to investigate the framework a little further and to also recommend our favourite OpenVAS Tutorial (which is a comprehensive and detailed 45 minute long video).
Having hosted several Hacker Hotshot web shows that examine how to test for web application vulnerabilities, we thought it would be wise to compliment our web shows with a few words on OpenVAS. (Side note: if you are reading this with an interest in securing your web application then here are a few Hacker Hotshot events you might find interesting: “Secure Code Reviews Magic or Art?” with Sherif Koussa, and “ThreadFix” with Dan Cornell, “Pentesting Smart Grid Web Apps” with Justin Searle and “IronWASP – Open Source Web Security Testing Platform” with Lavakumar Kuppan. For a full list of our information security web shows from 2011 to 2013 please click here.)
What is OpenVAS (brief summary!)
OpenVAS is a framework that comprises multiple vulnerability scanning and vulnerability management tools. OpenVAS is updated daily through the Network Vulnerability Tests (NVTs) feed. The NVT feed is configured as the default ‘updating system’ for OpenVAS and the framework is freely available under the GNU General Public License (GNU GPL). Many of the pentesting or vulnerability scanning reviews we have published are either free or are open-source (two examples being: World’s Best 50 Firefox Pentesting AddOns and “Mobile Forensics Tools”) and OpenVAS is no exception. OpenVAS, as a free solution, receives a warm welcome by those of us either on a budget and/ or for those of us that would like to learn how to find and therefore patch and secure vulnerabilities within our applications. Other solutions, like Nessus (which used to be free) and other products from SAINT or Netsparker, whilst being excellent and we’d certainly recommend them, are expensive.
Our recommended OpenVAS Tutorial
We have scoured the Internet and this is by far our most highly recommended OpenVAS tutorial. NetSecNow (his YouTube username) has compiled a 45 minute video outlining how to set-up, update and use OpenVAS from within Kali Linux. Here’s the video on our site or if you prefer, here it is on YouTube. Also, the author has written a script that allows you to open the OpenVAS GUI every time you boot into Kali Linux.
OpenVAS and False Positives!
False positives are a fact of life when it comes to penetration testing and web vulnerability scanning. We have often seen false positives when executing vulnerability scans where, after additional investigation, the flagged threats did not exist. All reporting (and this applies to all web vulnerability scanners) must always be examined with a ‘pinch of cyber salt’ – in fact, this is what often separates the experienced from the not-so experienced when it comes to understanding what constitutes a threat and what does not.
False positives must also be placed within their own level of exposure, meaning, if the application is front-facing, or Internet facing, then surely that should merit urgent investigation. Alternatively, an application that runs on an internal and trusted LAN environment ought to also be considered as a threat, but, could be given a less urgent priority. Time, as usual, is our most expensive commodity so the point being made here is that false positives must be placed under a strict level of context and prioritized.
We have only played with OpenVAS several times in the last few weeks and are keen to get our teeth sunk into the program, not least because we have to test certain applications which we will be launching soon, we’d therefore really appreciate any feedback that you might be able to give us! Props to the creator of the YouYube tutorial mentioned above and the OpenVAS development team.