Educause Security Discussion mailing list archives

Re: Rapid7 NeXpose


From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Wed, 24 Jun 2009 15:27:24 -0700


 We used Rapid 7 once in 2006. For similar reasons others have raised, we choose not to continue with them.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hart, 
Lee Anne
Sent: Wednesday, June 24, 2009 2:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Rapid7 NeXpose

Hi Heather, 

We use Rapid7’s Nexpose both internally and externally (PCI compliance).  I primarily use it internally and I’ve not 
been impressed. The product was already here when I started. I’ve been using it for about two months now and here are 
my grips and praises: 

Cons
1. Their technical support is the worst. All they seem to know how to do is tell you to RTFM (Read the manual). 
2. The Oracle policy file only works completely on Oracle 7, 8, and 9. 
3. It has the capability to do regex file checking but I’ve yet to get it to work. The scan log file is useless in 
trying to determine what parts of the scan worked and didn’t worked.
4. I couldn’t find a way to change my initial password. Good thing I was given administrator access. 
5. Did I mention the technical support is not very good ☺ ?? 
6. It’s not Nessus ☹ 

Pro
1. Runs on *unix server ;-)
2. Nice reporting with pretty reports and remediation steps  (though not thoroughly reviewed to ensure they are 
accurate and useful).

I have no experience with Qualys.

Hope that helps, 
Lee Anne


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Axworthy, Heather
Sent: Tuesday, June 23, 2009 2:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Rapid7 NeXpose

Hi all,

We are in the middle of evaluating vulnerability scanning tools.   I recently had a demo of Rapid7’s NeXpose tool.  
Just curious if there are any other institutions that currently use it and if it met your scanning needs.  We are 
looking at their SaaS model for external scanning.  

We are also in the middle of evaluating Qualys and was also wondering if anyone out there did a comparison between the 
two products.  

Again, any information would be greatly appreciated.

Please feel free to reply off list.

Thanks,
Heather


:: Heather Axworthy, Lead Security Specialist
:: University Information Technology Services (UITS)
:: University of Massachusetts President's Office
:: 774.455.7762 Phone
:: 774.455.7733 Fax
:: haxworthy () umassp edu

University of Massachusetts : 333 South St. : Suite 400 : Shrewsbury, MA 01545 : www.massachusetts.edu



Current thread: