Re: Need Vulnerability Management Tool Review

[Bryan <brakeb () gmail com>]

So, how do you explain the fact that the Nexpose/Rapid7 scan and the CW scan differed quite a bit on what was scanned?  
I mean, ran the metrics from  our QSA against our bi-monthly scan.  Both reports covered many of the same items, but 
also, both reports found things the other didn't have.

I guess what I'm saying is that I am having trouble believing either report at this point...



On Oct 12, 2012, at 11:29 AM, nekron 99 <noslen0822 () gmail com> wrote:

> From: Bryan <brakeb () gmail com>
>
> > We are not running credentialed scans, so the Apache
> > and OpenSSL vulns found are largely false positives. We run RHEL5 and
> > 6, so the scans appear to look at just the $version and not
> > $version-$release, so 'httpd-2.2.3-63.el5_8.1.x86_64.rpm' is seen by
> > CW and apparently Nexpose as '2.2.3'
>
>
>
> We use Critical Watch and are very happy with it!
>
> What you are running into is back porting issues.  Its probably best
> explained from their FAQ article.
>
> http://www.criticalwatch.com/faq/backporting/
>
> <snip>
> Backporting is the action of taking a certain software modification
> (patch) and applying it to an older version of the software than it
> was initially created for. It forms part of the maintenance step in a
> software development process.
>
> When a network vulnerability scanner assess a machine, it will base
> some of its findings on found versions of software. If these versions
> are known to be vulnerable to certain issues, they are enumerated as
> vulnerable to their respective CVE’s. However, if your vendor
> backports the security fixes into your existing version of Apache, you
> may not be actually be vulnerable, but based on the version, the
> software appears to still be vulnerable.
>
>
> When FusionVM scans with credentials, the system will automatically
> enumerate the list of installed patches and auto-suppress
> vulnerabilities that have been addressed by backported patches.
> FusionVM can do this internal and external from the internet but it
> requires standard user access (username/password/publickey) to an
> Secure Shell (SSH) service on that machine.
> <snip>
>
> Best Regards
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------