Re: Regularly Vulnerability Assessment using QualysGuard - Pro/Cons?

[Artis Schlossberg <artis () infosec lv>]

If you are evaluating Nessus and Qualys, have a look at OpenVAS too.

Greenbone has an OpenVAS based appliance: http://greenbone.net/

--
Artis

On Fri, Jan 27, 2012 at 17:23, Wright, Joe # ATLANTA
<Joe.Wright () globalpay com> wrote:
> Andre;
>
> Qualys does store credentials in the cloud, however, they are also have serious security controls around the users 
> information such as encryption and so forth. You may wish to look further into their security status and storage 
> process. Alternately, you could use something like Nessus or Tenable Perimeter Security. It really depends on what 
> you are trying to achieve. Qualys however tends to be expensive on initial cost and recurring costs.
>
> Joe
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of André Gasser
> Sent: Friday, December 16, 2011 1:55 PM
> To: security-basics () securityfocus com
> Subject: Regularly Vulnerability Assessment using QualysGuard - Pro/Cons?
>
> Hello list,
>
> I am writing regarding the commercial QualysGuard Vulnerability Management solution [1].
>
> The last few days I was playing with the QualysGuard Vulnerability Management solution and I must say, that I really 
> like the way it works.
> It allows you to attach a Qualys box to a network segment and then run regular vulnerability scans inside that 
> environment.
>
> Now, I face the problem, that there seem to be many customer around which do not like the way Qualys handles 
> authenticated scans. Since Qualys runs a cloud-based concept, all the access credentials required for doing 
> authenticated scans, are stored in their data centers. For some customers, this is a killer criteria. I understand, 
> that customers do not like the way it is. Since I am no Qualys expert, I would like to hear some opinions from you. 
> If you use Qualys, how do you handle this situation? And if you do not use Qualys, what tools do you use to conduct 
> regular vulnerability assessments? Do you use plain nessus or a tool like this?
>
> I think Qualys is a very good tool for running vulnerability assessments on a regularly basis. To be honest, I am not 
> aware of the effective costs of such a Qualys sucscriptions. But isn't that cheaper than sending an auditor to the 
> customers site once a week? Especially if you need to conduct a lot of scans, sending auditors could become very 
> expensive, doesn't it?
>
> Because of the problem regarding authenticated scans, we are currently looking for products who do not store 
> credentials in the cloud and which can be used to easily conduct regular vulnerability assessments.
>
> I higly appreciate your comments on this.
>
> Thanky you very much for your time,
>
> André
>
>
> [1] http://www.qualys.com/products/qg_suite/vulnerability_management/
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
> who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
> if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
> Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
> management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
>
>
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------