Educause Security Discussion mailing list archives

Re: Evaluating Rapid7's Nexpose

From: "Logan, Kimberly (loganks)" <LOGANKS () UCMAIL UC EDU>
Date: Wed, 11 Apr 2007 12:23:22 -0400

Hi Michael,

The University of Cincinnati  is using NeXpose and we're very happy with it.
I can't speak to writing custom checks because we haven't done that.  We're
in the early stages of starting regular scans for the university, but from
what we've done I find it to be a very nice, useful tool.  Our users have
commented that they find it helpful, as well.  The reports indicate when a
vulnerability is found that it may be a false positive, so it's up to the
system administrators to verify.  The support has been very good and I would
highly recommend the three day onsite (they come to you) training.  Feel
free to give me a call if you'd like to talk further.

Kim

Kim Logan
Information Security Officer
CISSP
University of Cincinnati
(513)556-9070
kim.logan () uc edu

-----Original Message-----
From: Michael Bayne [mailto:baynema () JMU EDU]
Sent: Wednesday, April 11, 2007 11:28 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Evaluating Rapid7's Nexpose

We're currently evaluating Rapid7's Nexpose vulnerability scanner.  They
claim to have a large install base in education, so I thought I'd see if
any of you were using it and what your experience with it have been.

I'm particularly interested in your estimates of false positives/false
negatives, how you handle false positives in reporting, scalability,
experiences with Rapid7's technical support, how well its database and
web services scans work.

The marketing guy was pushing the fact that all the vulnerability checks
are stored in text files and custom vulnerability checks can be written.
  The scripting language for the checks seems to be proprietary,
however, which makes writing custom checks a tad bit hard without
documentation.  Has anyone tried to write custom checks?  Have you had
custom checks written for you by Rapid7?  Have you been able to get
documentation about scripting from Rapid7?

Any other thoughts you might want to share would be appreciated.

Thanks.

--

Mike Bayne
Security Engineer
baynema () jmu edu
1.540.568.1684

Attachment: smime.p7s
Description:

Current thread:

Evaluating Rapid7's Nexpose Michael Bayne (Apr 11)
- <Possible follow-ups>
- Re: Evaluating Rapid7's Nexpose Logan, Kimberly (loganks) (Apr 11)
- Re: Evaluating Rapid7's Nexpose Conor McGrath (Apr 11)
- Re: Evaluating Rapid7's Nexpose Stelfox, Samuel G @ VTC (Apr 11)
- Re: Evaluating Rapid7's Nexpose Jason Carr (Apr 11)
- Re: Evaluating Rapid7's Nexpose Ferris, Joe (Apr 12)
- Re: Evaluating Rapid7's Nexpose Steve Brukbacher (Apr 12)