Penetration Testing mailing list archives
RE: Vulnerability scanners
From: "Ken Smith" <ksmith () akibia com>
Date: Thu, 27 Mar 2003 16:08:00 -0500
Don't forget that Qualys is not a managed service. You still need to setup the scans, customize the reports, setup scheduling, and make sense of the resulting reports. It's not completely outsourcing, it's an ASP model. -----Original Message----- From: Jeff Williams @ Aspect [mailto:jeff.williams () aspectsecurity com] Sent: Thursday, March 27, 2003 1:59 PM To: Dan Lynch; pen-test () securityfocus com Subject: Re: Vulnerability scanners Let's assume that you're talking about 256 IPs (based on Qualys' published pricing), and you want to scan weekly. That's at least a day a week of effort for someone (probably more to generate a very nice report and summaries). The cost of a full-time sysadmin (including salary, benefits, office, etc...) probably costs well north of $100K. You'd have to include some equipment costs in there. So I doubt you could do it much cheaper. I think vulnerability scanning is a reasonable thing to outsource for companies that are not in the security or networking field already. Still, the incremental cost of their service must be far less than that. Obviously they've invested in a significant amount in their scanning engine and report structure. And there will be some maintenance and network costs to consider. But the cost of adding one more customer should be fairly small. If their prices don't start approaching this incremental cost, then there's an opportunity for someone else to enter the market and provide the service for cheaper. Maybe you can push them on this point. Whatever you decide, you should also be sure to consider the cost of interpreting the results and making the changes to fix any problems uncovered. Simply having the scan done for you does not relieve you of the responsibility of going through the findings carefully and keeping systems hardened. Please let the list know how this comes out as there are probably many companies wrestling with this decision now. --Jeff Jeff Williams Aspect Security, Inc. http://www.aspectsecurity.com ----- Original Message ----- From: Dan Lynch To: pen-test () securityfocus com Sent: Wednesday, March 26, 2003 6:46 PM Subject: Vulnerability scanners Greetings list, Yesterday some reps from Qualys came with a sales presentation for their QualysGuard appliance. I'd like to solicit your comments and opinions on that product. In particular, do you think it's $45,000 per year better than Nessus? (That's about the cost we'd face based on our IP address range.) They claim it costs as much in administration to run Nessus. Does Qualys' claim to more vulnerability signatures and faster/easier updates hold water? Any input you can offer is greatly appreciated. Dan Lynch Information Technology Analyst County of Placer Auburn, CA 530/889-4222 Bureaucracy: the art of making the possible impossible. top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.surfcontrol.com/go/zsfptl1 top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.surfcontrol.com/go/zsfptl1 top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.surfcontrol.com/go/zsfptl1
Current thread:
- Vulnerability scanners Dan Lynch (Mar 27)
- RE: Vulnerability scanners Rob Shein (Mar 27)
- Re: Vulnerability scanners Anders Thulin (Mar 28)
- <Possible follow-ups>
- Re: Vulnerability scanners oherrera (Mar 27)
- Re: Vulnerability scanners Jeff Williams @ Aspect (Mar 27)
- Re: Vulnerability scanners Alvin Oga (Mar 27)
- RE: Vulnerability scanners Rob Shein (Mar 27)
- Re: Vulnerability scanners Alex Russell (Mar 27)
- Re: Vulnerability scanners Nicolas Gregoire (Mar 27)
- Re: Vulnerability scanners R. DuFresne (Mar 27)
- RE: Vulnerability scanners Ken Smith (Mar 27)
- RE: Vulnerability scanners Rosado, Rafael (Rafael) (Mar 27)
- RE: Vulnerability scanners Rosado, Rafael (Rafael) (Mar 27)
- Re: Vulnerability scanners Jeff Williams @ Aspect (Mar 27)
- Re: Vulnerability scanners Chris Sharp (Mar 27)
- Re: Vulnerability scanners R. DuFresne (Mar 27)
- Re: Vulnerability scanners Paris Stone (Mar 27)
- RE: Vulnerability scanners Michael Welch (Mar 27)
- RE: Vulnerability scanners Derrick Johnson (Mar 28)
- Re: Vulnerability scanners Roman Medina (Mar 28)
- RE: Vulnerability scanners David Nester (Mar 28)
- RE: Vulnerability scanners Michael Welch (Mar 27)