Re: Vulnerability scanners - what do you use? What seems to be successful for your environment?

[Stewart James <Stewart.James () VU EDU AU>]

Hi Cathy,

 

We use Qualys here for vulnerability management. While we used Nessus
for many years to perform vulnerability scanning, we really needed to
start managing our issues.

 

Qualys is essentially a cloud service with a small plug and play
internal scanner located within our network. Management of the actual
service is pretty much nothing as Qualys manage the web interface
centrally and automatically maintain the internal scanner. We have
established a regular scanning routing and administrators are given
access to their systems results, generating reports as they like.

 

> From my perspective it has been a fantastic system as I can generate
high level reports, such as top 10 most prevalent vulnerabilities and a
high level summary including trends of vulnerabilities. When a
resolution for a vulnerability is performed Qualys automatically detects
it and closes the relevant issue, if an admin flags a weakness to be
ignored, the system will stop reporting that weakness, though, it can
still be seen in the "Ignored vulnerabilities" report.

 

Qualys also has a policy compliance (e.g. CIS benchmarking) capabilities
and can also perform web vulnerability scanning. We have not yet started
compliance scanning and we are not licensed for the web application
scanner.

 

We have been using Acunetix to perform our web application scanning. It
is fairly straight forward and easy to use, at least worth the time
playing with the demo.

 

If budget is a concern, I found Qualys to be very competitive but Nessus
Pro feed coupled with Inprotect (http://inprotect.sf.net) may be a
workable model for managing vulnerabiltiies.

 

Of course, if you really are just wanting to perform ad hoc scanning
vulnerability and reporting.... Nessus wins hands down! Other solutions
(including tenables commercial offering) are really only useful once
considering the overall "management" versus "scanning".

 

Cheers,

 

Stewart

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ullman, Catherine
Sent: Wednesday, 26 May 2010 1:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Vulnerability scanners - what do you use? What seems
to be successful for your environment?

 

Greetings!

 

I am beginning to do some research into vulnerability scanners to be
used in assessing infrastructure weaknesses here at the University at
Buffalo.  I'm wondering if folks out there might be willing to share
with us what they're using, if anything, and any experiences (good or
bad) you've had with any of these products.

 

Many thanks in advance for your assistance.

 

Sincerely,

Cathy

 

Catherine J. Ullman

Information Security Analyst

Information Security Office

University at Buffalo

cende () buffalo edu

 



This email, including any attachment, is intended solely for the use of the intended recipient. It is confidential and 
may contain personal information or be subject to legal professional privilege. If you are not the intended recipient 
any use, disclosure, reproduction or storage of it is unauthorised. If you have received this email in error, please 
advise the sender via return email and delete it from your system immediately. Victoria University does not warrant 
that this email is free from viruses or defects and accepts no liability for any damage caused by such viruses or 
defects.