Educause Security Discussion mailing list archives
Re: Vulnerability scanners - what do you use? What seems to be successful for your environment?
From: Steve Werby <smwerby () VCU EDU>
Date: Fri, 28 May 2010 18:47:27 -0400
On 5/25/2010 4:04 PM, William C. Moore II wrote:
We use Nexpose by Rapid7 and have done so successfully for multiple years now. I also use various other assessment tools to validate my Nexpose reports and to insure we (and Rapid7) are staying up-to-date.
We use NeXpose for system scans and WebInspect for web app scans. We haven't provided system access to those outside of Information Security, but we recently increased our NeXpose licensing to expand our scanning potential by a factor of 10 and our bringing Rapid7 on-site in June to train IT staff from outside of our central IT unit so we can delegate scanning. Not surprisingly, we get much better visibility into vulnerabilities with WebInspect when credentialed scans are run. We don't typically run it in the most aggressive mode, but it can still have an undesirable impact with apps that have forms that result in email generation or DB inserts/updates. It's important to collaborate with the app owner to understand the behavior of the app to make configuration adjustments, especially if there's no test/dev environment to scan against. I don't consider this a flaw in the solution. It's a side effect of determining whether certain vulnerabilities exist. And if the scanner can do it, so can an attacker. There was a study a few months ago that concluded that roughly 50% of web app vulnerabilities go undetected by the handful of scanning solutions that were tested. I like semi-automated web app scanning, but it's an important point. Business logic flaws, unencrypted transmission of session cookies, flaws in JS or AJAX code, and a variety of other vulnerabilities may go undetected by these tools. Per John Ladwig's suggestion I'll include some info. about our environment. We have 32k students and 10k employees, an academic campus and a medical campus, $220 million in annual funded research and distributed IT environment with approximately 40% of IT staff in our central IT unit. -- Steve Werby Information Security Officer Virginia Commonwealth University VCU Information Security - http://infosecurity.vcu.edu/ News, Tips & More - http://www.twitter.com/vcuinfosec Best Practices - http://infosecurity.vcu.edu/docs/infosecbp.pdf
Current thread:
- Vulnerability scanners - what do you use? What seems to be successful for your environment? Ullman, Catherine (May 25)
- <Possible follow-ups>
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Jon Hanny (May 25)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Alex Jalso (May 25)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Mike Hanson (May 25)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Isac Balder (May 25)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? William C. Moore II (May 25)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Stewart James (May 25)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Di Fabio, Andrea (May 26)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? John Ladwig (May 26)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Steve Werby (May 28)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Steve Brukbacher (Jun 02)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Yonesy F. Nunez (Jun 02)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Wayne Bullock (Jun 03)