I agree to a large extent. I've been asked for 'a non-intrusive penetration test'... Uh, what? Then you hammer it out and they're looking for what we call a 'vulnerability assessment'. The pen-test without the pen- phase.
There's a large number of people running those tools and doing exactly as you describe. I call them, 'the competition'. They bid low and ship a canned report with little to no analysis or follow-up. I highly recommend everyone scan themselves regularly. None of the tools you mentioned are too scary. I do tend to find the severity ratings to be out of whack with the real world impacts a lot of times, so if you see a bunch of red in the report don't panic. Read the text and figure out what it means to your network. The Metasploit Framework has a bit of a learning curve, but nothing too daunting and really it's not necessary for a maintenance scan. You can always invest in a licensed version if the Framework scares you.
Those tools don't provide meaningful coverage of web applications but they would give you a decent idea of the security posture of your network perimeter.
Many situations require the disinterested third party to perform the assessment or audit though. Sometimes customers/partners want to see your last report if you're dealing B2B and then there are the compliance requirements (PCI, health or personal information).
The one thing about that report that really bothered me was the remediation price tags. I know a lot of companies do similar things but we never offer remediation services since it would put us in a conflict of interest. I turn down security product installs regularly on our assessment and penetration testing customers because I don't want us in a position where we're auditing our own work. It's a point of contention sometimes but its an audit independence requirement and I won't budge on the issue.
There's a large number of people running those tools and doing exactly as you describe. I call them, 'the competition'. They bid low and ship a canned report with little to no analysis or follow-up. I highly recommend everyone scan themselves regularly. None of the tools you mentioned are too scary. I do tend to find the severity ratings to be out of whack with the real world impacts a lot of times, so if you see a bunch of red in the report don't panic. Read the text and figure out what it means to your network. The Metasploit Framework has a bit of a learning curve, but nothing too daunting and really it's not necessary for a maintenance scan. You can always invest in a licensed version if the Framework scares you.
Those tools don't provide meaningful coverage of web applications but they would give you a decent idea of the security posture of your network perimeter.
Many situations require the disinterested third party to perform the assessment or audit though. Sometimes customers/partners want to see your last report if you're dealing B2B and then there are the compliance requirements (PCI, health or personal information).
The one thing about that report that really bothered me was the remediation price tags. I know a lot of companies do similar things but we never offer remediation services since it would put us in a conflict of interest. I turn down security product installs regularly on our assessment and penetration testing customers because I don't want us in a position where we're auditing our own work. It's a point of contention sometimes but its an audit independence requirement and I won't budge on the issue.