Re: Evaluating Rapid7's Nexpose

[Conor McGrath <conormc () UCHICAGO EDU>]

On Wed, Apr 11, 2007 at 11:27:59AM -0400 Michael Bayne said:
> We're currently evaluating Rapid7's Nexpose vulnerability scanner.  They
> claim to have a large install base in education, so I thought I'd see if
> any of you were using it and what your experience with it have been.
>
> I'm particularly interested in your estimates of false positives/false
> negatives, how you handle false positives in reporting, scalability,
> experiences with Rapid7's technical support, how well its database and
> web services scans work.
>
> The marketing guy was pushing the fact that all the vulnerability checks
> are stored in text files and custom vulnerability checks can be written.
>  The scripting language for the checks seems to be proprietary,
> however, which makes writing custom checks a tad bit hard without
> documentation.  Has anyone tried to write custom checks?  Have you had
> custom checks written for you by Rapid7?  Have you been able to get
> documentation about scripting from Rapid7?
>
> Any other thoughts you might want to share would be appreciated.

I don't know much about the product because their sales folks were so
thoroughly unprofessional I simply refuse to talk to them any longer.
They started off with cold calls and then acting like they were my
best friends when I did answer.  From there they began to call multiple
times in a row.  If I did not answer they wouldn't leave a voice mail
for me but would call again in two minutes...and again...and again.
I observed this behavior twice while I was in meetings in my office.

Perhaps I'm just in a crabby mood today but I will not likely do business
with such folks anytime soon.

-Conor

--
Conor McGrath                                           Phone: (773)702-7611
Manager for Network Security                            Fax: (773)834-8444
Network Security Center, The University of Chicago      NetSec: (773)702-2378
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml