Re: Outsourcing security scanning (internal and external)

[John Kemp <kemp () NETWORK-SERVICES UOREGON EDU>]

On Friday 07 October 2005 01:00, Greg Francis wrote:
> We are currently considering whether or not to outsource penetration
> testing from off-campus such that testing will be done frequently
> (monthly?) versus a periodic audit which we have already outsourced in the
> past. We're also considering outsourcing the same functionality except on
> the inside of the firewall.
>
> At present, we do some scanning with NMAP and Nessus but there are
> concerns from management that our efforts are inadequate and our
> reliability is low. We are making improvements but I question how much we
> should focus into that area if it's going to be outsourced anyway. Our CIO
> thinks that outsourcing both tasks may be more cost effective and appease
> management more.
>
> Are there any schools out there that have outsourced either external
> scanning? If so, how frequently is the scanning done? Do you have a vendor
> that you recommend and what is their general cost?
>
> Any input is highly appreciated.
>
> Thanks,
> Greg

I tend to think of the QUALYS service as basically this
sort of thing.  Probably cheaper and more useful than a
consultant, for my 2 cents.  Consultants have
no stake in your enterprise, and have no upper bound
on what they'll charge you.

Since the QUALYS model is based on the number of IP addresses
that they scan, it can get ugly in terms of pricing if you number
of targets is high.  So... we're not a customer.  But if you fit their
model, I thought their architecture and r&d was quite solid.

--

John G. Kemp ( kemp () network-services uoregon edu )
http://security.uoregon.edu/ mailto:security () uoregon edu
pgp:C9BE D1C4 9893 1A9E FF1A  B354 77DE E6DC A3CA 7130