IMHO, I believe its bad thinking if one runs a vulnerability scanner and then runs metasploit, canvas or even core on the network and if you have a clean read you announce the network safe.  Sure it’s a great start and perhaps you can state the network is free from a script kiddies’ attacks as far as that kind of exploit goes, but there are software exploits that these tools are unaware of.  There is a very select and private group out there that has some exploits that they don’t share. One hacker I know claimed to be aware of a small group that passed around among themselves almost 10 window exploits that Microsoft wasn’t aware and I believe him because he always seemed credible in my past dealings with him. 
     We all know that poor programming results in the ability to exploit sometimes. Windows XP has about 40 million lines of code and a common estimate used in the industry is that there are between 5 – 50 bugs per 1000 lines of code.  Sad but often true due to time pressures placed on programmers among other reasons. A middle of the road estimate would be that XP has about 1,200,000 bugs!  That equals a lot of potential for exploits. 

Thanks for your comment.  Yes there should be job security in this field.  So much so that if I were to council any young person as far as a career is concerned, this would be the one. Things will change and hacking will get more difficult, but this will be the new battle ground as our lives even get more automated. 
    One other thought. In no way do I want it to appear by my post that I don’t recommend tools like Core and Canvas. On the other hand I find them a great asset.  In fact I have found that certain corporate types really like it if you use a commercial grade pen testing software that’s nationally recognized.  If you don’t use either and you have been having a little problem selling a pen test, try selling the idea that you are using high level commercial grade penetration testing software that is licensed to qualified security individuals and has been used on many fortune 500 companies. I promise you will see that corporate eye brow rise up a little in interest.

never forget that the problem with vulnerability scanners is that they only check for known vulnerabilities.

 if i was truly locking down a network i would be more worried about if my apps were vulnerable to 0day attacks or undiscovered weaknesses in the software than if i passed  a nessus scan. 

that being said, i understand MSF, Canvas, and Core Impact to be exploit frameworks rather than vulnerability scanners, which is a big difference.  those tools give someone the ability to write their own checks and exploits versus relying on whats available on the net. 

thats where your disaster recovery plan and known good backups come in.

0day attacks happen, you have to mitigate risk the best you can on your network with good patch policies, password policies and most importantly user education.

I agree with you if your goal is to lock down every attack vector and you have limitless funds and resources. Most companies that I have worked for have had little of both, so you have to balance, I think, the risk/probability with the cost/effort. I would love to do what you suggest to the nth degree.

However, if most companies would at least run auto tools regularly and fix what they find (or knowingly accept the risk in some areas), we'd be better off. I wish more companies would do at least that.

I think if you can at least lock down the basics, you can successfully get the skiddie and others slightly above her to move on to an easier target. Automated tools help you get there, but as you said, they can't do it all.

Let me clarify: I'm speaking in terms of what I feel a security professional's goal is: maximize profits. That of course means you weight cost/effort against the risk and only put in/recommend the security that is "needed" and cost beneficial for the company. The problem is in accurately determining (sometimes called guessing) what the probability a threat has--and that's different depending on the company and the industry.

It's not an exact science. I have seen simple vulnerabilities go untouched for years. Some things are just not found. They all give me pause, but I can't expect each industry to lock down like it's a financial institution. But at the same time, I can't expect companies to lock down things that won't lead to much of a loss, even if it is exploited; sometimes the cost is just too high and it's cheaper to clean up IF IT HAPPENS.

I know many of you will disagree, but that's what forums are all about: sharing perspectives and being stretched out of your comfort zone--and pondering what others advocate.

Kev, I enjoy your perspective. Keep it up. And congrats on your prize!