Penetration Testing mailing list archives

Re: Qualys

From: Mark Teicher <mht3 () earthlink net>
Date: Thu, 9 Feb 2006 17:02:10 -0500 (GMT-05:00)

So a quick network security assessment using automated tools could result in a network security assessment that could 
take 8 hours from start to finish, as a remote service, which could be seen as the main attack point of hackers.??  Bad 
marketing speak in my mind, and a possible deliverable would be: an Executive Report, Top Threats to the Network 
Report, Threat Matrix Listing, Full Technical Report and an Outbriefing...  Right there sounds like a lot of work or 
not depending on one's view.  With some automated vulnerability assessment tools, the easier way to do this would be 
insert one's logo in the left or right hand corner of the automated report, add a few blurbs and send it out.  Caveat: 
Verify the results before sending, some automated tools generate lots of false positives, one would be very foolish if 
they were to send a 18,000 page report with only two recommendations.  BTW, recommending updated Cisco IOS to the 
current release may be an option, young jedi


-----Original Message-----

From: Gail Thorpe <gail () sec-tec co uk>
Sent: Feb 9, 2006 11:29 AM
To: pen-test () securityfocus com
Subject: Re: Qualys

Well, if we are going to get picky about terminology, surely a Class A 
environment  means a network with a Class A subnet configured, not 
necessarily one with any particular number of hosts. Ever seen a 10.X.X.X 
network with three hosts on it? I have.

The devil is in the detail, so be careful.

----- Original Message ----- 
From: "Justin Ferguson" <jnferguson () gmail com>
To: "Byron Sonne" <blsonne () rogers com>
Cc: "US Infosec" <usinfosec () gmail com>; <pen-test () securityfocus com>
Sent: Thursday, February 09, 2006 4:19 AM
Subject: Re: Qualys

Everyone seems to have missed what I think was his/her's point. He
asked the *technical* contact if they had every deployed in a Class A
environment (aka 16 million hosts), and he/she responded 'sure we've
supported clients with 60 thousand hosts!' (which isn't even a class b
btw), and the technical ignorance of their technical person is what
closed the door for ncircle. Or at least that is what I get out of his
email, not 'please tell me how i should deploy a vulnerability scanner
in my network' but rather a dialogue on the technical competence of
the employee's.



On 2/8/06, Byron Sonne <blsonne () rogers com> wrote:

Greetings,

nCircle came to do a demonstration for my team once.  I work in an
enviornment that has a full routable class A.   I asked the technical
guy there if they had ever deployed their appliances in a Class A
enviornment and he said sure we have supported clients with 60K hosts.
   That was the end of our consideration.


How long ago did you give it a demo? That sounds like it must have been
a good while ago, or perhaps there was a mis-understanding of some sort.

For folks with class A networks, something that big you'd deploy
multiple units of our product as per our product architecture and
design, as most orgs of that kind of size have done.

If you like, I could put you in touch with someone inside the company
that could discuss any issues you had. If I may ask, who did you opt to
go with instead of nCircle?

Cheers,
Byron




------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, 
forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers 
are
futile against web application hacking. Check your website for 
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before 
hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers 
are
futile against web application hacking. Check your website for 
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before 
hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------




__________________________________________________________________________
The contents of this e-mail are confidential and are intended solely for
the use of the person to whom they are addressed.  If you are not the
intended recipient of this message please notify the sender and delete it
immediately, disclosure of its content to any other person is prohibited
and may be unlawful.  Sec-Tec does not accept any responsibility for
viruses and it is your responsibility to scan the e-mail and attachments.
Any liability arising from any third party acting on information contained
in this e-mail is hereby excluded.
--------------------------------------------------------------------------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

Re: Qualys, (continued)
- - - Re: Qualys Gail Thorpe (Feb 09)
    - Re: Qualys Curt Purdy (Feb 09)
    - Re: Qualys Ben Nelson (Feb 09)
    - Re: Qualys Ivan Arce (Feb 13)
- Re: Qualys Mark Teicher (Feb 08)
- RE: Qualys Michael Gargiullo (Feb 08)
  - Re: Qualys Amit (Feb 12)
- RE: Qualys Michael Gargiullo (Feb 08)
- RE: Qualys Evans, Arian (Feb 10)
  - Re: Qualys Byron Sonne (Feb 11)
- Re: Qualys Mark Teicher (Feb 11)
- Re: RE: Qualys pro_logos (Feb 13)
- RE: Qualys Marc Maiffret (Feb 15)