Security Basics mailing list archives
Re: Need Vulnerability Management Tool Review
From: Bryan <brakeb () gmail com>
Date: Fri, 12 Oct 2012 12:16:36 -0500
So, how do you explain the fact that the Nexpose/Rapid7 scan and the CW scan differed quite a bit on what was scanned? I mean, ran the metrics from our QSA against our bi-monthly scan. Both reports covered many of the same items, but also, both reports found things the other didn't have. I guess what I'm saying is that I am having trouble believing either report at this point... On Oct 12, 2012, at 11:29 AM, nekron 99 <noslen0822 () gmail com> wrote:
From: Bryan <brakeb () gmail com>We are not running credentialed scans, so the Apache and OpenSSL vulns found are largely false positives. We run RHEL5 and 6, so the scans appear to look at just the $version and not $version-$release, so 'httpd-2.2.3-63.el5_8.1.x86_64.rpm' is seen by CW and apparently Nexpose as '2.2.3'We use Critical Watch and are very happy with it! What you are running into is back porting issues. Its probably best explained from their FAQ article. http://www.criticalwatch.com/faq/backporting/ <snip> Backporting is the action of taking a certain software modification (patch) and applying it to an older version of the software than it was initially created for. It forms part of the maintenance step in a software development process. When a network vulnerability scanner assess a machine, it will base some of its findings on found versions of software. If these versions are known to be vulnerable to certain issues, they are enumerated as vulnerable to their respective CVE’s. However, if your vendor backports the security fixes into your existing version of Apache, you may not be actually be vulnerable, but based on the version, the software appears to still be vulnerable. When FusionVM scans with credentials, the system will automatically enumerate the list of installed patches and auto-suppress vulnerabilities that have been addressed by backported patches. FusionVM can do this internal and external from the internet but it requires standard user access (username/password/publickey) to an Secure Shell (SSH) service on that machine. <snip> Best Regards ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- RE: Need Vulnerability Management Tool Review, (continued)
- RE: Need Vulnerability Management Tool Review Dave Kleiman (Oct 10)
- RE: Need Vulnerability Management Tool Review Ulm, Matt (Oct 10)
- RE: Need Vulnerability Management Tool Review Chris Garlington (Oct 10)
- Re: Need Vulnerability Management Tool Review gold flake (Oct 11)
- Re: Need Vulnerability Management Tool Review neo anderson (Oct 11)
- Re: Need Vulnerability Management Tool Review Bryan (Oct 11)
- Re: Need Vulnerability Management Tool Review Metahuman (Oct 11)
- Re: Need Vulnerability Management Tool Review Bryan (Oct 11)
- Re: Need Vulnerability Management Tool Review Vijay (Oct 10)
- Re: Re: Need Vulnerability Management Tool Review Julian . chec (Oct 11)
- Re: Need Vulnerability Management Tool Review nekron 99 (Oct 12)
- Re: Need Vulnerability Management Tool Review Bryan (Oct 12)
- Re: Need Vulnerability Management Tool Review nekron 99 (Oct 12)
- Re: Need Vulnerability Management Tool Review nekron 99 (Oct 14)
- Re: Need Vulnerability Management Tool Review Bryan (Oct 12)