Re: OS Vuln Scanners

[Curt Wilson <curtw () SIU EDU>]

Kevin Lanning wrote:
> I'd appreciate info from list members regarding  best products in this
> category from your real life experience as a security professional in
> higher ed.
>
> thanks,

This message goes beyond what you asked for, but hopefully it may be
useful to the larger Educause community.

Don't forget about the many open source tools and scripts out there that
can be helpful. But with regards to commercial products, I've used any
of the following in various ways:


Vuln assessment related tools:
-----------------------------
Nessus w/ direct feed
SPI Dynamics WebInspect for webapps
eEye Retina
WebScarab, Paros & Burp proxies
ISS Scanner
human brain

Penetration testing tools:
-------------------------
Core IMPACT
Immunity CANVAS
Metasploit Framework (not commercial)
WebScarab, Paros & Burp (VA + pentest)
human brain

Database security tools
-----------------------
Appdetective for Oracle/SQL Server
human brain


For the costs and what you get, Nessus is clearly a winner in my mind.
The direct feed is reasonably priced and the product gets better over
the years in my experience. I've used it hundreds of times.

SPI Dynamics WebInspect is expensive, but it does a decent job finding
some percentage of webapp security issues. I believe that even the best
webapp scanner is no substitute for a skilled professional who has the
right tools & time. Still, running an automated web scanner is good to
detect the 30% or so (figure open to debate) of the issues that they
*can* detect, but it should not be the only measure taken.

eEye Retina I used for a year or so, and it seemed pretty decent for
assessing Windows hosts, but not so much the unix systems. At the time I
don't think there was any webapp assessment functionality in it at all,
but it's been a while and my engrams may be experiencing high latency. I
don't know it's current status.

WebScarab & Paros are proxies for much slower manual analysis of
webapps. Burp is another proxy in this same vein that I haven't explored
yet, but am hearing good things about. There are some automated
functions within these proxies but I don't really regard them as a
"scanning" tool although they are useful for VA and pentesting functions
along with security analysis.

ISS Scanner I used some years back. It was OK, but at the time it seemed
to lag behind recent vulns and it did this enough that I looked
elsewhere after a while. The IBM/ISS X-Force was/is a good research
group, as far as I know. I don't know it's current status.

Core IMPACT, CANVAS and Metasploit are really pentesting tools (although
with some scanning functionality) that are out of scope for what you've
asked for, however I have found these useful at various times depending
upon the circumstances at hand. If you've got the authority & clearance
to do actual penetration testing you'll be sure to come across these.
IMPACT is the most expensive of the bunch and has a lot of functionality
and is very easy to use with very nice reporting. CANVAS is also
functional for pentesting and is much less expensive, but not as user
friendly and I don't think it has much reporting. Metasploit is free,
and I don't think it has much, if any type of reporting. CANVAS and
Metasploit can be used to develop new exploits and provide an R&D
framework for those with the resources to do so. The pentesting tools
can also help weed out false positives, but of course must be used
carefully (a larger review of these products/tools is out of scope for
this short message)

Application Security's Appdetective for Oracle was useful to help
identify the types of things that an automated scanner can detect.
Application Security Inc. provides versions for several types of databases.

Human Brain is the best product of all and is remarkably versatile :)

In your question, you say "OS Vuln Scanners" but don't forget webapps,
client-side assessments, databases, and the underlying network (insecure
wifi AP's, etc) all play a part. As the various OS's are hardened
against attack methodologies of yesteryear, webapps, client apps and
users are being hammered upon and I think it's important to pay
attention to all of these elements within the context of the more
critical resources that must be protected. We all know that integrating
security into the development and procurement process should be a
standard practice but that doesn't account for systems that are already
in production and when the bottom line demands that an app get out the
door quickly, security may take the hit. Don't let the attackers be the
first people to assess your systems!


--
Curt Wilson
SIUC IT Security Officer & Security Engineer