Penetration Testing mailing list archives
RE: Vulnerability scanners
From: "Rosado, Rafael (Rafael)" <rarosado () lucent com>
Date: Thu, 27 Mar 2003 14:46:28 -0700
Dan, I will not provide you with an endorsement of any product (commercial or freeware), but I can tell you that there are less expensive commercial solutions than Qualysis (not to say that the Qualysis product is not worth that cost, although it does seem steep... well, then you have Foundscan which is much more expensive). You probably need to bring several full evaluation copies in-house and run your own "head-to-head" comparisons. If you dont have the time or resources to perform such an in-house evaluation, you could take your chances in relying on 3rd Party comparisons/evaluations (such as the one done my Information Security Magazine - http://www.infosecuritymag.com/2003/mar/cover.shtml and http://www.infosecuritymag.com/2003/mar/comparisonchart.shtml or Network World Fusion at http://www.nwfusion.com/reviews/2002/vulnerability0204.jsp). You could always go with the limited budget solution - Nessus and "Almost Free" Tools (refer to Fred Langston's presentation - http://www.issa-ps.org/presentations/issaps-0303a.pdf). Each alternative has implementation, deployment and maintenance costs associated with it. Regarding the accuracy of each and how often these are updated with the latest attack signatures is debatable, although Nessus has been highly rated by many for accuracy and updated attack signature availabilty (it is considered one of the most widely accepted and recommended security tools available, along with NMAP which Nessus has embedded into it). Most security professionals I have interacted with have mentioned that they use Nessus to complement the results from whatever commercial vulnerability scanners they are using. Good Luck with your evaluation/decision. Rafael Rosado, CISSP, CISA IT Security Manager Caribbean and Latin America Region (CALA) & Global Risk Assessment and Penetration Testing Lucent Technologies O Corporate Security Business Assurance and Risk Mitigation Services (B.A.R.M.S.) 2400 SW 145th Avenue - Room 1S056 Miramar, Florida 33027 +1 954-885-2176 (voice) * +1 954-885-3861 (fax) * +1 954-648-3532 (mobile) or 9546483532 () mobile att net (text message) * rarosado () lucent com (email) * This electronic mail message contains information belonging to Lucent Technologies, which may be confidential and/or legal privileged. The information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, printing, copying, distribution, or the taking of any action in reliance on the contents of this electronically mailed information is strictly prohibited. If you receive this message in error, please immediately notify us by electronic mail and delete this message. -----Original Message----- From: Rob Shein [mailto:shoten () starpower net] Sent: Thursday, March 27, 2003 3:34 PM To: 'Dan Lynch'; pen-test () securityfocus com Subject: RE: Vulnerability scanners I'd be astounded if it took that much money to administer Nessus. I run nessus, and it's so little trouble that I don't think I've spent 60 minutes administering/installing/maintaining it all year so far. Every time I run it, I do the check for updates (and heck, you can set that as a cron job if you really want), and aside from that I've had no trouble with it whatsoever. I cannot believe that Qualys has vulnerability signatures faster than Nessus, at least by any reasonable amount of time...I've seen NASL plugins out within hours of the vulnerability being made public. Easier updates than Nessus? Um..."nessus-update-plugins"...wait about 20-90 seconds...done! What's so hard about that? And I can write my own NASL plugins for Nessus if I so desire (and I have), which I cannot do with Qualys. Finally, a company I worked for tested Qualys once, and they failed to find some of the more important problems with the NT box we stood up outside of our firewall. This was years ago, and I'm sure things have improved (or so I hope) but it was still a powerful thing to see first hand. In the end, we went with Nessus, and never had a problem after that.
-----Original Message----- From: Dan Lynch [mailto:dan.lynch () placer ca gov] Sent: Wednesday, March 26, 2003 6:47 PM To: pen-test () securityfocus com Subject: Vulnerability scanners Greetings list, Yesterday some reps from Qualys came with a sales presentation for their QualysGuard appliance. I'd like to solicit your comments and opinions on that product. In particular, do you think it's $45,000 per year better than Nessus? (That's about the cost we'd face based on our IP address range.) They claim it costs as much in administration to run Nessus. Does Qualys' claim to more vulnerability signatures and faster/easier updates hold water? Any input you can offer is greatly appreciated. Dan Lynch Information Technology Analyst County of Placer Auburn, CA 530/889-4222 Bureaucracy: the art of making the possible impossible. top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1 top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.surfcontrol.com/go/zsfptl1 top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.surfcontrol.com/go/zsfptl1
Current thread:
- Re: Vulnerability scanners, (continued)
- Re: Vulnerability scanners Anders Thulin (Mar 28)
- Re: Vulnerability scanners oherrera (Mar 27)
- Re: Vulnerability scanners Jeff Williams @ Aspect (Mar 27)
- Re: Vulnerability scanners Alvin Oga (Mar 27)
- RE: Vulnerability scanners Rob Shein (Mar 27)
- Re: Vulnerability scanners Alex Russell (Mar 27)
- Re: Vulnerability scanners Nicolas Gregoire (Mar 27)
- Re: Vulnerability scanners R. DuFresne (Mar 27)
- RE: Vulnerability scanners Ken Smith (Mar 27)
- RE: Vulnerability scanners Rosado, Rafael (Rafael) (Mar 27)
- RE: Vulnerability scanners Rosado, Rafael (Rafael) (Mar 27)
- Re: Vulnerability scanners Jeff Williams @ Aspect (Mar 27)
- Re: Vulnerability scanners Chris Sharp (Mar 27)
- Re: Vulnerability scanners R. DuFresne (Mar 27)
- Re: Vulnerability scanners Paris Stone (Mar 27)
- RE: Vulnerability scanners Michael Welch (Mar 27)
- RE: Vulnerability scanners Derrick Johnson (Mar 28)
- Re: Vulnerability scanners Roman Medina (Mar 28)
- RE: Vulnerability scanners David Nester (Mar 28)
- RE: Vulnerability scanners Michael Welch (Mar 27)