Educause Security Discussion mailing list archives
Re: Outsourcing security scanning (internal and external)
From: John Kemp <kemp () NETWORK-SERVICES UOREGON EDU>
Date: Fri, 7 Oct 2005 01:12:31 -0700
On Friday 07 October 2005 01:00, Greg Francis wrote:
We are currently considering whether or not to outsource penetration testing from off-campus such that testing will be done frequently (monthly?) versus a periodic audit which we have already outsourced in the past. We're also considering outsourcing the same functionality except on the inside of the firewall. At present, we do some scanning with NMAP and Nessus but there are concerns from management that our efforts are inadequate and our reliability is low. We are making improvements but I question how much we should focus into that area if it's going to be outsourced anyway. Our CIO thinks that outsourcing both tasks may be more cost effective and appease management more. Are there any schools out there that have outsourced either external scanning? If so, how frequently is the scanning done? Do you have a vendor that you recommend and what is their general cost? Any input is highly appreciated. Thanks, Greg
I tend to think of the QUALYS service as basically this sort of thing. Probably cheaper and more useful than a consultant, for my 2 cents. Consultants have no stake in your enterprise, and have no upper bound on what they'll charge you. Since the QUALYS model is based on the number of IP addresses that they scan, it can get ugly in terms of pricing if you number of targets is high. So... we're not a customer. But if you fit their model, I thought their architecture and r&d was quite solid. -- John G. Kemp ( kemp () network-services uoregon edu ) http://security.uoregon.edu/ mailto:security () uoregon edu pgp:C9BE D1C4 9893 1A9E FF1A B354 77DE E6DC A3CA 7130
Current thread:
- Outsourcing security scanning (internal and external) Greg Francis (Oct 07)
- <Possible follow-ups>
- Re: Outsourcing security scanning (internal and external) John Kemp (Oct 07)
- Re: Outsourcing security scanning (internal and external) Sarah Stevens (Oct 07)
- Re: Outsourcing security scanning (internal and external) Greg Francis (Oct 07)
- Re: Outsourcing security scanning (internal and external) Valdis Kletnieks (Oct 07)
- Re: Outsourcing security scanning (internal and external) Valdis Kletnieks (Oct 07)
- Re: Outsourcing security scanning (internal and external) Greg Francis (Oct 08)