Security Basics mailing list archives
RE: Local Software Scanner for vulnerabilities
From: Sheldon Malm <Sheldon_Malm () rapid7 com>
Date: Wed, 31 Aug 2011 11:37:43 +0000
Pascal, Full disclosure: I work for Rapid7. NeXpose Community Edition is free and supported on Windows and Linux. Definitely worth checking out. If you need something that is commercially supported, there are several options for NeXpose that can scale to meet your needs at affordable price points. I agree with Todd ... BigFix is a great product, but it solves a different needs, is agent-based, and is not what I would describe as affordable for what you're trying to accomplish. I hope this helps. Sheldon Malm Senior Director, Security Strategy & Alliances Rapid7 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Todd Haverkos Sent: Monday, August 29, 2011 9:44 AM To: Pascal Heraud Cc: security-basics () securityfocus com Subject: Re: Local Software Scanner for vulnerabilities Pascal Heraud <pascal.heraud () laroueverte com> writes:
Hello, I'm looking for a simple tool capable of : - Listing local installed software (standard packages) for all linux and windows systems. - Downloading CVEs database that is free of charge - Comparing local software and CVEs to issue security alerts. - Simple to install, cross platforms
Tenable Nessus is just $1200 a year and hits all your points except that wish for something free. It's agentless so you wouldn't have to install something on every machine--one scanner can be configured to login with credentials to do full scanning of the entire environment, and enumerate installed software on those boxes. Their plugin writeups all reference the relevant CVE's. If free is important and it's a home network you're interested in defending, they do offer a home feed for non-commercial use. If you're using it in a business of any sort, $1200 is not much to pay a year. If you're dealing with a non-profit, it's possible to get pro feed at no cost http://www.nessus.org/about-tenable/tenable-in-the-community If you have more enterprise needs and a desire to see trending, metrics, and remediation trends for vulnerabilities, reporting, and control of several scanners in a segmented environment, and having several users of the vulnerability tools with various privilege levels, Tenable Security Center is the next step up. It's licensed by IP count. BigFix as suggested by another poster has a rather different model -- that's an agent based solution that'll have pieces installed on every machine. You'll find that it's exceedingly non-free, and in fact will probably cost at least double Security Center for a similar IP count, and probably 100x a Nessus license depending on your IP count. :-) LanDesk and Shavlik are other competitors in that systems management space. BigFix can do a lot more than just find vulnerabilities--power management, patch management (i.e. actually fixing the issues found), and inventory management are among the itches these things scratch. If your task is focused on finding vulenrabilities then tossing the info over the wall to another group to address them, a vulnerability scanning solution like Nessus or equivalent is likely what you want. Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- RE: Local Software Scanner for vulnerabilities Sheldon Malm (Sep 05)
- Re: Local Software Scanner for vulnerabilities Pascal Heraud (Sep 05)
- Re: Local Software Scanner for vulnerabilities Todd Haverkos (Sep 05)
- Re: Local Software Scanner for vulnerabilities Pascal Heraud (Sep 05)