Educause Security Discussion mailing list archives
Re: Vulnerability scanners - what do you use? What seems to be successful for your environment?
From: "William C. Moore II" <wcmoore () VALDOSTA EDU>
Date: Tue, 25 May 2010 16:04:12 -0400
Cathy et al, We use Nexpose by Rapid7 and have done so successfully for multiple years now. I also use various other assessment tools to validate my Nexpose reports and to insure we (and Rapid7) are staying up-to-date. I have read the many posts with regards to Nessus and I too am a huge fan of the tool but lets face it you receive more support if upper and/or senior administration understands what is being presented. If you have the time and abilities you can present some good reports with other tools based on Nessus output; however, I can schedule regular reports to various users based on what is being assessed and the level of detail the recipient needs (i.e. remediation reports to SysAdmins, report cards to mid level management or executive reports to senior administration). These reports are from multiple levels of assessments for example a safe audit (kids glove approach), a web audit (XSS/CSS, SQL injection, configuration info leakage), Oracle and other database testing, authenticated patch level testing and PEN testing with MetaSploit. Oh, and BTW the assessments are based on Nessus at the core so I still have the trust in the foundation. Nexpose is designed to accommodate multiple users is needed. Our SysAdmins can (I am going into this more slowly than they would like) can initiate their own assessments but I retain the ability and granularity to limit Tommy's ability to PEN test Karry's servers (it was an innocent joke right?) then they can each determine which reports are best for their or their supervisors use. Also, on some of the reports the SysAdmin can follow embedded links to the vendor's knowledge base, patch and/or vulnerability sites. Just FYI, some of the links are designed to show exactly how to exploit the vulnerability found so be careful of who receives those reports. One of my pet peeve complaints is that the report real estate (efficient use of report page or paper). Some of the report formats will occasionally list a long (multiple pages) single column of items in the report. These are automated reports so I do not complain to often but if I am using this report for a presentation, administration or if I know it will be printed I will massage to report or use a different format. Best of luck to you. Bill William C. Moore II, CISSP, MEd, MLIS Chief Information Security Officer Information Technology Valdosta State University Valdosta, GA 31698 Phone:(229)333-5974 Fax: (229)245-4349 *********************************************************************** The information transmitted is intended only for the person addressed. Any unauthorized review, distribution or other use of or the taking of any action in reliance upon this information is prohibited. If you received this message in error, please contact the sender and delete or destroy this message and any copies. *********************************************************************** _____ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ullman, Catherine Sent: Tuesday, May 25, 2010 11:13 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Vulnerability scanners - what do you use? What seems to be successful for your environment? Greetings! I am beginning to do some research into vulnerability scanners to be used in assessing infrastructure weaknesses here at the University at Buffalo. I'm wondering if folks out there might be willing to share with us what they're using, if anything, and any experiences (good or bad) you've had with any of these products. Many thanks in advance for your assistance. Sincerely, Cathy Catherine J. Ullman Information Security Analyst Information Security Office University at Buffalo cende () buffalo edu
Current thread:
- Vulnerability scanners - what do you use? What seems to be successful for your environment? Ullman, Catherine (May 25)
- <Possible follow-ups>
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Jon Hanny (May 25)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Alex Jalso (May 25)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Mike Hanson (May 25)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Isac Balder (May 25)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? William C. Moore II (May 25)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Stewart James (May 25)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Di Fabio, Andrea (May 26)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? John Ladwig (May 26)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Steve Werby (May 28)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Steve Brukbacher (Jun 02)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Yonesy F. Nunez (Jun 02)
- Re: Vulnerability scanners - what do you use? What seems to be successful for your environment? Wayne Bullock (Jun 03)