| I've actually had the exact opposite experience. Security Engineers at most companies have no idea what they're doing beyond running the scanner and parroting whatever it spits out. "The scanner says your server is vulnerable" "Ya, we patched that vulnerability weeks ago" "The scanner says it's vulnerable" "OK.... looks at scanner - oh, it's just reading the banner, and not taking into account that the major rev didn't change, it's patched" "The scanner says it's vulnerable" "OK... so what if I change the banner so it doesn't pick it up as vulnerable?" "The scanner says it's secure now, thanks!!" The guys who know their stuff in security generally have a desire to actually get paid well, and have time to do legitimate research. They don't really have a desire to sit in a corporate job dealing with the mountains of bureaucratic bullshit that goes along with security in a corporation. Do you really want to be the guy who gets thrown under the bus because you had to disable strong passwords because the CEO was angry he needed both upper and lower case letters in his AD password? |
Except those strong password policies don't strengthen security at all, neither in theory nor practice. Congratulations, the CEO's password is now "qweRTY" and it's written on a yellow sticky-note on his monitor.