Educause Security Discussion mailing list archives

Re: Vulnerability Assessment tools

From: Brad Edmondson <brad.edmondson () GMAIL COM>
Date: Mon, 2 Nov 2009 10:36:06 -0500

Hopefully better slow than never:

OpenVAS is free and open-source with a regularly updated plugin feed.
It forked off nessus when the latter went closed-source, and has a
free plugin feed that includes credentialed OS and database
vuln-scanning capabilities.

The most recent major version of OpenVAS is included in the recent
ubuntu 9.10 release, so you may be able to set up and test for free.
Also, it's client-server and allows you to define scanning scope
permissions for your users, which may work well in your distributed
environment.

Regards,
Brad

On 2009-10-21, Dick Jacobson <Dick.Jacobson () ndus edu> wrote:

I have been asked by my CIO to again look at Vulnerabiltity Assessment
tools for our state Higher Ed network and institutions.  We did contract
with a consultant a while back for pen testing and this was one of their
recommendations for each of our institutions.  I remember seeing
discussion on this a few years ago but the landscape, I'm sure, has
changed.  My timeline is pretty condensed so I am asking for your help.

I am looking for suggestions of tools that you might use or have
looked at as well as tools you are aware of.

We have 11 institutions geographically dispersed and "administered".
However, at this point, nothing is off the table.  Our solution may be
appliance based or software or a hosted solution or a mix of these.

Some of our institutions have adequate staff.  Others have one or two
people who don't have a lot of extra time to add this to their duties.

I am interested in a tool (or multiple ?) that will handle web assessment
as well as server/endpoint assessment; and database assement would be a
bonus.

Any help you can give me will be greatly appreciated.  Thanks.

-----------------------------------------------------------------------
     Dick Jacobson            e-mail : Dick.Jacobson () ndus edu
     NDUS IT Security Officer office : STTC 219
              phone  : 701-231-6280 <NEW phone number>
-----------------------------------------------------------------------

Current thread:

Vulnerability Assessment tools Dick Jacobson (Oct 21)
- <Possible follow-ups>
- Re: Vulnerability Assessment tools Jon Hanny (Oct 21)
- Re: Vulnerability Assessment tools Brad Edmondson (Nov 02)