Educause Security Discussion mailing list archives
Re: OS Vuln Scanners
From: Curt Wilson <curtw () SIU EDU>
Date: Fri, 18 Apr 2008 13:46:25 -0500
Kevin Lanning wrote:
I'd appreciate info from list members regarding best products in this category from your real life experience as a security professional in higher ed. thanks,
This message goes beyond what you asked for, but hopefully it may be useful to the larger Educause community. Don't forget about the many open source tools and scripts out there that can be helpful. But with regards to commercial products, I've used any of the following in various ways: Vuln assessment related tools: ----------------------------- Nessus w/ direct feed SPI Dynamics WebInspect for webapps eEye Retina WebScarab, Paros & Burp proxies ISS Scanner human brain Penetration testing tools: ------------------------- Core IMPACT Immunity CANVAS Metasploit Framework (not commercial) WebScarab, Paros & Burp (VA + pentest) human brain Database security tools ----------------------- Appdetective for Oracle/SQL Server human brain For the costs and what you get, Nessus is clearly a winner in my mind. The direct feed is reasonably priced and the product gets better over the years in my experience. I've used it hundreds of times. SPI Dynamics WebInspect is expensive, but it does a decent job finding some percentage of webapp security issues. I believe that even the best webapp scanner is no substitute for a skilled professional who has the right tools & time. Still, running an automated web scanner is good to detect the 30% or so (figure open to debate) of the issues that they *can* detect, but it should not be the only measure taken. eEye Retina I used for a year or so, and it seemed pretty decent for assessing Windows hosts, but not so much the unix systems. At the time I don't think there was any webapp assessment functionality in it at all, but it's been a while and my engrams may be experiencing high latency. I don't know it's current status. WebScarab & Paros are proxies for much slower manual analysis of webapps. Burp is another proxy in this same vein that I haven't explored yet, but am hearing good things about. There are some automated functions within these proxies but I don't really regard them as a "scanning" tool although they are useful for VA and pentesting functions along with security analysis. ISS Scanner I used some years back. It was OK, but at the time it seemed to lag behind recent vulns and it did this enough that I looked elsewhere after a while. The IBM/ISS X-Force was/is a good research group, as far as I know. I don't know it's current status. Core IMPACT, CANVAS and Metasploit are really pentesting tools (although with some scanning functionality) that are out of scope for what you've asked for, however I have found these useful at various times depending upon the circumstances at hand. If you've got the authority & clearance to do actual penetration testing you'll be sure to come across these. IMPACT is the most expensive of the bunch and has a lot of functionality and is very easy to use with very nice reporting. CANVAS is also functional for pentesting and is much less expensive, but not as user friendly and I don't think it has much reporting. Metasploit is free, and I don't think it has much, if any type of reporting. CANVAS and Metasploit can be used to develop new exploits and provide an R&D framework for those with the resources to do so. The pentesting tools can also help weed out false positives, but of course must be used carefully (a larger review of these products/tools is out of scope for this short message) Application Security's Appdetective for Oracle was useful to help identify the types of things that an automated scanner can detect. Application Security Inc. provides versions for several types of databases. Human Brain is the best product of all and is remarkably versatile :) In your question, you say "OS Vuln Scanners" but don't forget webapps, client-side assessments, databases, and the underlying network (insecure wifi AP's, etc) all play a part. As the various OS's are hardened against attack methodologies of yesteryear, webapps, client apps and users are being hammered upon and I think it's important to pay attention to all of these elements within the context of the more critical resources that must be protected. We all know that integrating security into the development and procurement process should be a standard practice but that doesn't account for systems that are already in production and when the bottom line demands that an app get out the door quickly, security may take the hit. Don't let the attackers be the first people to assess your systems! -- Curt Wilson SIUC IT Security Officer & Security Engineer
Current thread:
- OS Vuln Scanners Kevin Lanning (Apr 18)
- <Possible follow-ups>
- Re: OS Vuln Scanners Tumas, Jay (Apr 18)
- Re: OS Vuln Scanners Rick Holland (Apr 18)
- Re: OS Vuln Scanners Aaron Kirby (Apr 18)
- Re: OS Vuln Scanners John Ladwig (Apr 18)
- Re: OS Vuln Scanners Curt Wilson (Apr 18)
- Re: OS Vuln Scanners Brian Epstein (Apr 18)
- Re: OS Vuln Scanners Kevin Halgren (Apr 22)
- Re: OS Vuln Scanners Ferris, Joe (Apr 22)
- Re: OS Vuln Scanners Han Lievens (Apr 23)