Re: Vulnerability Scanner Recommendations

[Kevin Halgren <kevin.halgren () WASHBURN EDU>]

Personally I love our Nessus system, but I don't have experience with 
other commercial products.
http://www.tenable.com/products/nessus/nessus-product-overview

OpenVAS is free and open-source and it's OK, though it's not as easy to 
use and requires more customization to be useful.  Nessus gives better 
results in my opinion.  It's interesting to scan the same system with 
each and see the difference in results.
http://www.openvas.org/

In any case, these are just a tools.  You still have to be able to 
assess and validate the results these systems give you.  They help find 
a number of issues, but there are always some false-positives or 
differences in judgement regarding how significant an issue is.  For 
example, I consider a Denial-of-Service vulnerability on most systems to 
be a medium-risk issue, we'll fix it at the next good opportunity or 
scheduled update cycle.  Potential information exposure, on the other 
hand, is high-risk and requires a more urgent response.  Network 
security scanners may prioritize such vulnerabilities differently from 
what I would.  It doesn't mean they're wrong, it's just a difference in 
judgement based on our environment.

Kevin

On 11/15/2012 10:21 AM, Greg Schmalhofer wrote:
> Educause security group,
>
> Can anyone recommend a particular vulnerability scanner software, 
> product, appliance, or service that you are using at your campus? This 
> is a need at our campus and I am trying to review the different 
> options available for a small campus. Thanks for any help, insight, or 
> feedback you can provide.
>
> Thanks,
>
> Greg Schmalhofer
>
> Millersville University
>
> Information Security Coordinator
>
> Millersville, PA

Attachment: kevin_halgren.vcf
Description: