Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Regularly Vulnerability Assessment using QualysGuard - Pro/Cons?

From: André Gasser <andre.gasser () gmx ch>
Date: Fri, 16 Dec 2011 19:54:38 +0100
Hello list,

I am writing regarding the commercial QualysGuard Vulnerability
Management solution [1].

The last few days I was playing with the QualysGuard Vulnerability
Management solution and I must say, that I really like the way it works.
It allows you to attach a Qualys box to a network segment and then run
regular vulnerability scans inside that environment.

Now, I face the problem, that there seem to be many customer around
which do not like the way Qualys handles authenticated scans. Since
Qualys runs a cloud-based concept, all the access credentials required
for doing authenticated scans, are stored in their data centers. For
some customers, this is a killer criteria. I understand, that customers
do not like the way it is. Since I am no Qualys expert, I would like to
hear some opinions from you. If you use Qualys, how do you handle this
situation? And if you do not use Qualys, what tools do you use to
conduct regular vulnerability assessments? Do you use plain nessus or a
tool like this?

I think Qualys is a very good tool for running vulnerability assessments
on a regularly basis. To be honest, I am not aware of the effective
costs of such a Qualys sucscriptions. But isn't that cheaper than
sending an auditor to the customers site once a week? Especially if you
need to conduct a lot of scans, sending auditors could become very
expensive, doesn't it?

Because of the problem regarding authenticated scans, we are currently
looking for products who do not store credentials in the cloud and which
can be used to easily conduct regular vulnerability assessments.

I higly appreciate your comments on this.

Thanky you very much for your time,

André


[1] http://www.qualys.com/products/qg_suite/vulnerability_management/


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: