PaulDotCom mailing list archives

Re: Best ROI Combination - Metasploit & Training

From: Todd Haverkos <infosec () haverkos com>
Date: Thu, 13 Dec 2012 13:23:28 -0600

Arch Angel <arch3angel () gmail com> writes:

Honestly Albert, I can't say that I have a legitment "reason" per say.  I
have found, in my experience, to get the full benefit of Nessus you really
need Security Center and the other products, but in general that's not a
real reason, just a personal opinion.  I have just seen NexPose as a better
product over all, in look, feel, and acurancy.  However, again this is just
my opinion I really don't have a reason outside personal preference I guess.

I'm not opposed to diving deeper into Nessus and learning the advanatges or
capabilities though.


Robert, 

I would encourage shooting out Nexpose and Security Center side by
side with an evaluation that gets sales engineers involved and get a
quote early on for what you need.  

It's a fair point that Nexpose does more for an enterprise than Nessus
alone does.  Nessus is definitely a vulnerability scanner, but it it
not alone an enterprise-centric vulnerability management and reporting
system.  Security Center fills that role, as you hint. 

Nexpose and Security Center side by side is the apples to apples
comparison.  

Cost as of 2 years ago was within the same ballpark and was sized per
IP's.  If you need or want additional scan zones/scanners for a
segmented network, one vendor hits you additional for those, another
vendor doesn't.

Get SE's from both companies involved.  Pay attention to memory needed
and how fast similar breadth and depth scans come back, if
virtualization is important to you, see how each performs in that
environment.  Test the support channels.  Weigh which evil
(Java/Flash/HTML5) you want to live with to use the interfaces, decide
how important a scriptable API might be to you to mine vuln data.
Also consider the OS's of your target environment.   One scanner for
instance deals with *nix OS's and authenticated scans thereof a lot
more elegantly than another. 

I know which way I went and I've been rather happy.   I don't at all
regret the time taken to do a full technical shootout of both. 

Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Best ROI Combination - Metasploit & Training Arch Angel (Dec 07)
- Re: Best ROI Combination - Metasploit & Training Larry Pesce (Dec 07)
- Re: Best ROI Combination - Metasploit & Training Josh More (Dec 07)
- Re: Best ROI Combination - Metasploit & Training Michael Allen (Dec 08)
  - Re: Best ROI Combination - Metasploit & Training Arch Angel (Dec 10)
    - Re: Best ROI Combination - Metasploit & Training Albert R. Campa (Dec 11)
    - Re: Best ROI Combination - Metasploit & Training Arch Angel (Dec 11)
    - Re: Best ROI Combination - Metasploit & Training Josh More (Dec 11)
    - Re: Best ROI Combination - Metasploit & Training Arch Angel (Dec 12)
    - Re: Best ROI Combination - Metasploit & Training Todd Haverkos (Dec 13)
    - Re: Best ROI Combination - Metasploit & Training Arch Angel (Dec 13)
    - Re: Best ROI Combination - Metasploit & Training Ron Gula (Dec 14)
    - Re: Best ROI Combination - Metasploit & Training Albert R. Campa (Dec 14)
    - Re: Best ROI Combination - Metasploit & Training Ryker Exum (Dec 11)
    - Re: Best ROI Combination - Metasploit & Training Arch Angel (Dec 11)
- <Possible follow-ups>
- Re: Best ROI Combination - Metasploit & Training Ty Purcell (Dec 07)