Re: Vulnerability scanners - what do you use? What seems to be successful for your environment?

["William C. Moore II" <wcmoore () VALDOSTA EDU>]

Cathy et al,



We use Nexpose by Rapid7 and have done so successfully for multiple years
now.  I also use various other assessment tools to validate my Nexpose
reports and to insure we (and Rapid7) are staying up-to-date.



I have read the many posts with regards to Nessus and I too am a huge fan of
the tool but lets face it you receive more support if upper and/or senior
administration understands what is being presented.  If you have the time
and abilities you can present some good reports with other tools based on
Nessus output; however, I can schedule regular reports to various users
based on what is being assessed and the level of detail the recipient needs
(i.e. remediation reports to SysAdmins, report cards to mid level management
or executive reports to senior administration).  These reports are from
multiple levels of assessments for example a safe audit (kids glove
approach), a web audit (XSS/CSS, SQL injection, configuration info leakage),
Oracle and other database testing, authenticated patch level testing and PEN
testing with MetaSploit.  Oh, and BTW the assessments are based on Nessus at
the core so I still have the trust in the foundation.



Nexpose is designed to accommodate multiple users is needed.  Our SysAdmins
can (I am going into this more slowly than they would like) can initiate
their own assessments but I retain the ability and granularity to limit
Tommy's ability to PEN test Karry's servers (it was an innocent joke right?)
then they can each determine which reports are best for their or their
supervisors use.  Also, on some of the reports the SysAdmin can follow
embedded links to the vendor's knowledge base, patch and/or vulnerability
sites.  Just FYI, some of the links are designed to show exactly how to
exploit the vulnerability found so be careful of who receives those reports.



One of my pet peeve complaints is that the report real estate (efficient use
of report page or paper).  Some of the report formats will occasionally list
a long (multiple pages) single column of items in the report.  These are
automated reports so I do not complain to often but if I am using this
report for a presentation, administration or if I know it will be printed I
will massage to report or use a different format.



Best of luck to you.





Bill







William C. Moore II, CISSP, MEd, MLIS
Chief Information Security Officer
Information Technology
Valdosta State University
Valdosta, GA 31698
Phone:(229)333-5974
Fax:  (229)245-4349



***********************************************************************
The information transmitted is intended only for the person addressed.
Any unauthorized review, distribution or other use of or the taking of
any action in reliance upon this information is prohibited. If you
received this message in error, please contact the sender and delete or
destroy this message and any copies.
***********************************************************************

  _____

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ullman, Catherine
Sent: Tuesday, May 25, 2010 11:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Vulnerability scanners - what do you use? What seems to
be successful for your environment?



Greetings!



I am beginning to do some research into vulnerability scanners to be used in
assessing infrastructure weaknesses here at the University at Buffalo.  I'm
wondering if folks out there might be willing to share with us what they're
using, if anything, and any experiences (good or bad) you've had with any of
these products.



Many thanks in advance for your assistance.



Sincerely,

Cathy



Catherine J. Ullman

Information Security Analyst

Information Security Office

University at Buffalo

cende () buffalo edu