It seems that debate over the automatic tools vs. manual penetration tools raises serious questions within the government agencies.South Carolina and Delaware already use Core Impact, other might follow:

Nick Baskett wrote an interesting article in it-observer about best practices when hiring an external penetration testing consultant. I hope that more and more business decision makers will apply his advices :

If there is any mention of XSS, there is a big chance RSnake’s name or its cheat sheet is mentioned along with it. His contribution in the web application security awareness is legendary.

It seems that Esser’s initiative to disclose one PHP vulnerability each day during March 2007 is unpopular among core PHP developers, especially for Zeev Suraski, co-creator of PHP and chief technology officer of Zend, which manages PHP development.

ABC News reports on a new attack vector targeted at broadband routers / acces points : Drive-By Pharming.

I stumbled upon yet another blind SQl injection tool called sqlmap written by Bernardo Damele and Daniele Bellucci. I didn’t have time to test it, but the tool’s description is quite ambitious

Tenable puts a cool Antivirus deployment Audit checks into it’s ground breaking Nessus tool. Compliance is the universal security obsession and I think Nessus will move more and more into this area. Quote:

The other day I attended a meeting where I got hit by a new concept .It is the unfortunate brainchild of the new age of risk management and compliance obsession. So it goes like this : Compliance = Vulnerability.

The February 2007 10th issue of (IN)SECURE Magazine is out ! The topics which are covered include : Microsoft Windows Vista: significant security improvement? Review: GFI Endpoint Security

The (in) famous Adobe Acrobat Reader Plugin Universal PDF XSS is the scariest vulnerability discovered this year because it can turn any pdf into an XSS attack vector.