PaulDotCom mailing list archives

Re: vulnerability scanners

From: Francois Lachance <digitallachance () gmail com>
Date: Wed, 1 Sep 2010 20:42:21 -0600

Forrester recently published a research paper titled "The Forrester Wave™:
Vulnerability Management, Q2 2010" (
http://www.forrester.com/rb/Research/wave%26trade%3B_vulnerability_management%2C_q2_2010/q/id/56932/t/2).
It costs $1,740 USD to purchase that report (ouch!). I am fortunate enough
to work for a corporation that has a membership with Forrester. Take a look
at the executive summary to give you an idea of which vendors they ranked.

You can see a research paper from Gartner (MarketScope for Vulnerability
Assessment) at
http://www.gartner.com/technology/media-products/reprints/qualys/article1/article1.html
.

You never mentioned what kind of budget you have to do that purchase.

Nessus is a great tool (I currently use it). If all you care is to scan,
fix and move on, that will be the least expensive commercial product you can
find because everyone else charges by the number of IP addresses you are
scanning. Nessus just charges for a yearly subscription with no limitation
on how many IP you scan. If you have a more complex environment, you'll
want to move from just vulnerability scanning to vulnerability management
instead. Nessus alone doesn't cut it. You really need a database to store
your scan results so that you can generate reports in many different ways.
With Nessus, I end up with a bunch of HTML report files generated based on
templates available in Nessus.

We are now looking at maturing our vulnerability assessment capabilities. I
figure that using one of those commercial tools like the ones from Rapid-7,
Qualys or Tenable, it will cost anywhere between $30-50K to purchase for
around 2000 IPs.

This might also be interesting read, to educate yourself:
The Essential Guide to Vulnerability Scanning -
http://www.itsecurity.com/features/essential-guide-vulnerability-scanning-060508/

Good luck!

On Tue, Aug 31, 2010 at 11:29 AM, Albert R. Campa <abcampa () gmail com> wrote:

This is true. When you said Core, i thought, do they have a vuln scanner?

I installed Nessus home and Nexpose community on BT4 and did some scanning
and comparison. I havent had time to put everything together, but as someone
stated it would be good to test them out.

__________________________________
Albert R. Campa



On Tue, Aug 31, 2010 at 12:10 PM, Paul Asadoorian <paul () pauldotcom com>wrote:

Hi Andrew,

I wasn't sure from your email if you were comparing penetration testing
frameworks to vulnerability scanners, but they should be thought of, and
treated as, separate products.

In short: a vulnerability scanner is going to give you a comprehensive
view of your vulnerabilities.

An exploit framework is going to give you more depth and intrusiveness
into the vulnerabilities that exist.

My other suggestion is that when you compare vulnerability scanners,
don't use the default settings to compare.  Take the time to test each
one against a test environment and tune the scanner accordingly.  Also,
your targets should be real, and you should have a pretty good idea the
vulnerabilities that exist before you start running scans. There is a
lot more to take into consideration, feel free to ping me with specific
questions.

Hope that helps!

Cheers,
Paul

On 8/31/10 12:02 PM, Andrew Anderson wrote:

So I'm looking to justify the purchase of a vulnerability scanning
product and am looking for some objective opinions.

I am partial to Nessus, due in part to the fact that I have used it
before and it's price is really attractive.
I am looking at Core as well - trying to figure out which on of their
products lines up best with Nessus proffesional feed (for comparisons).

Can anyone point me to a decent third party comparison online?
Does anyone have any suggestions for a  third contender for my list?



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


--
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552
Fax: 1.877.846.2187
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

vulnerability scanners Andrew Anderson (Aug 31)
- Re: vulnerability scanners Butturini, Russell (Aug 31)
  - Re: vulnerability scanners Michael Douglas (Aug 31)
- Re: vulnerability scanners Paul Asadoorian (Aug 31)
  - Re: vulnerability scanners Daniel (Aug 31)
  - Re: vulnerability scanners Albert R. Campa (Aug 31)
    - Re: vulnerability scanners Francois Lachance (Sep 02)
- Re: vulnerability scanners Michael Dickey (Aug 31)
- <Possible follow-ups>
- Re: Vulnerability Scanners Herndon Elliott (Sep 01)
  - Re: Vulnerability Scanners Albert R. Campa (Sep 01)