Educause Security Discussion mailing list archives
Re: Vulnerability Scanners
From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Thu, 2 Aug 2007 11:52:57 -0400
If you want good results, you're probably better off with specialized tools. Network scanners don't typically do thorough web scanning and vice versa. In my previous consulting life, I used a mix of Qualys and Nessus. Nessus is good from the standpoint that its free but lacks in quality of results, IMHO. There are a lot of false positives and the presentation of results is pretty poor, again IMHO. You also don't get any reliable support. I've heard the commercial Tenable scanner is better but I don't have any experience. Qualys does a much better job with results and the amount of information provided. They're also easy to work with when you're trying to troubleshoot false positives. Management interface is relatively user friendly. Results are stored on-site at Qualys and retrieved through a web interface. Some folks have an issue with this. They do have a security model in place that prevents Qualys employees from accessing your results. They'd be able to give you more info on that. Overall, I would certainly recommend checking them out. For web scanning, I've used SPI Dynamics WebInspect in the past. It's a bit resource intensive and sometimes provides too much information but overall I've always been pretty happy with it. Not much out there in terms of good open-source alternatives. You can check out tools like Nikto and Paros but they're not going to get you near the same quality results as a commercial scanner. Unfortunately, I can't speak too much regarding database scanning tools. Hope this helps! -----Original Message----- From: Andy Rivers [mailto:rivers () TENNESSEE EDU] Sent: Thursday, August 02, 2007 10:48 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Vulnerability Scanners Hello, We are looking at purchasing a new vulnerability scanner to use on our security assessments, and I was wondering if anyone could provide insight to some of the tools that they currently use. Right now we use a combination of open source tools and commercial products, but we are not very happy with the results that we are getting from our commercial products. We have three main categories that we assess: database, web, and workstations/servers. So we are examining if we will get more accurate results by having a specialized scanner for each category or if there's a product out there that will accurately and thoroughly scan all three categories. I would be interested in hearing how some of you currently do your assessments, do you have a separate tool for each one or do you use the same scanner for all of them? Also, we are pretty sure that we are going to have to do an RFP for this, so if anyone has already done a similar RFP and would be willing to share that would great. Thanks in advance for you responses. Andy Rivers Senior Security Analyst Information Security Office University of Tennessee (865) 974-2032 rivers () tennessee edu
Current thread:
- Vulnerability Scanners Andy Rivers (Aug 02)
- <Possible follow-ups>
- Re: Vulnerability Scanners Doug Markiewicz (Aug 02)
- Re: Vulnerability Scanners Deepak J. Mathew (Aug 02)
- Re: Vulnerability Scanners Ferris, Joe (Aug 03)