Security Basics mailing list archives
Re: Need Vulnerability Management Tool Review
From: nekron 99 <noslen0822 () gmail com>
Date: Fri, 12 Oct 2012 13:03:05 -0500
It's a tough one. If you run different scanners you will get different results no doubt about that. Do you take the summation of both or just where they agree. It gets really tough with older versions of Apache or openssh where the CVE list get ridiculously long Since RedHat and other Linux providers back port without updating versions, you will get false positives. If you don't then the scanner is doing something else. For instance, the nessus plugins look for Apache.*(RedHat). When found the variable that holds the version is Apache is artificially inflated to a super-high number (like apache 1.99.99) to avoid all the regular expression matches in other plugins. I can see why commercial vendors don't want to auto suppress for no reason. If a vendor doesn't spit out all the CVE's then customers complain that scanner X isn't doing as good of a job as scanner Y, even though they both may not be looking at the actual patch state. Consequently it forces the vendors to spew out as many CVE's as they can match. Auditors i have spoken to go back and forth on the Vulnerabilities by versioning. On one hand, you may have a version of code that is known to be vulnerable to certain exploits, but you may have it configured to not be using the feature set that has the issue. Technically the software is vulnerable. Most auditors are looking for process and showing we are knowledgeable about the issue and have documented response of why are or are not doing something about it. For Linux OS's that back port you really have to do authenticated scanning to get the best results. On Fri, Oct 12, 2012 at 12:16 PM, Bryan <brakeb () gmail com> wrote:
So, how do you explain the fact that the Nexpose/Rapid7 scan and the CW scan differed quite a bit on what was scanned? I mean, ran the metrics from our QSA against our bi-monthly scan. Both reports covered many of the same items, but also, both reports found things the other didn't have. I guess what I'm saying is that I am having trouble believing either report at this point...
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- RE: Need Vulnerability Management Tool Review, (continued)
- RE: Need Vulnerability Management Tool Review Ulm, Matt (Oct 10)
- RE: Need Vulnerability Management Tool Review Chris Garlington (Oct 10)
- Re: Need Vulnerability Management Tool Review gold flake (Oct 11)
- Re: Need Vulnerability Management Tool Review neo anderson (Oct 11)
- Re: Need Vulnerability Management Tool Review Bryan (Oct 11)
- Re: Need Vulnerability Management Tool Review Metahuman (Oct 11)
- Re: Need Vulnerability Management Tool Review Bryan (Oct 11)
- Re: Need Vulnerability Management Tool Review Vijay (Oct 10)
- Re: Re: Need Vulnerability Management Tool Review Julian . chec (Oct 11)
- Re: Need Vulnerability Management Tool Review nekron 99 (Oct 12)
- Re: Need Vulnerability Management Tool Review Bryan (Oct 12)
- Re: Need Vulnerability Management Tool Review nekron 99 (Oct 12)
- Re: Need Vulnerability Management Tool Review nekron 99 (Oct 14)
- Re: Need Vulnerability Management Tool Review Bryan (Oct 12)