Re: Need Vulnerability Management Tool Review

[nekron 99 <noslen0822 () gmail com>]

It's a tough one.  If you run different scanners you will get
different results no doubt about that.  Do you take the summation of
both or just where they agree.  It gets really tough with older
versions of Apache or openssh where the CVE list get ridiculously long

Since RedHat and other Linux providers back port without updating
versions, you will get false positives.  If you don't then the scanner
is doing something else.  For instance, the nessus plugins look for
Apache.*(RedHat).  When found the variable that holds the  version is
Apache is artificially inflated to a super-high number (like apache
1.99.99) to avoid all the regular expression matches in other plugins.

I can see why commercial vendors don't want to auto suppress for no
reason.  If a vendor doesn't spit out all the CVE's then customers
complain that scanner X isn't doing as good of a job as scanner Y,
even though they both may not be looking at the actual patch state.
Consequently it forces the vendors to spew out as many CVE's as they
can match.

Auditors i have spoken to go back and forth on the Vulnerabilities by
versioning.  On one hand, you may have a version of code that is known
to be vulnerable to certain exploits, but you may have it configured
to not be using the feature set that has the issue.  Technically the
software is vulnerable.

Most auditors are looking for process and showing we are knowledgeable
about the issue and have documented response of why are or are not
doing something about it.

For Linux OS's that back port you really have to do authenticated
scanning to get the best results.





On Fri, Oct 12, 2012 at 12:16 PM, Bryan <brakeb () gmail com> wrote:
> So, how do you explain the fact that the Nexpose/Rapid7 scan and the CW scan differed quite a bit on what was 
> scanned?  I mean, ran the metrics from  our QSA against our bi-monthly scan.  Both reports covered many of the same 
> items, but also, both reports found things the other didn't have.
>
> I guess what I'm saying is that I am having trouble believing either report at this point...

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------