Penetration Testing mailing list archives
Re: Vuln Scanning software choices
From: Christoph Puppe <puppe () hisolutions com>
Date: Tue, 15 Nov 2005 16:27:49 +0100
Salve,
Tblinux wrote:I know that most if not all of you use or have used Nessus at some point. I've been following the thread. Now that it appears that Nessus is seriously ratcheting down support for independent consultants and corporate / gov't users without a registered and paid for license what scanning software are you considering? Has anyone done a *complete* comparison of all of the scanning software out there and made a choice based on the findings? If so what was it?
Yep, I've invested 3 months into a comparison of 10 VA Tools and published the findings (german, pay per view link, sorry it's not open source, was a *lot* of work and I have to feed my family): http://www.heise.de/ix/iXInhalt/search.shtml?T=L%F6schersuche&button=Suchen No english version out there, I'm still trying to sell the article. In case you know an editor who could be interessted, please send me a PM. Statistical basis for the comparison are appr. 1300 CVE which I have manually verified. Target Network consisted of 19 Systems from 1996 Irix to W2003-Server, Cisco, AIX, Linux, FreeBSD. Scanners were 4 appliances and 6 softwares. To post a quick summary would be unfair, as you have to read the methology to understand the results. And then all tools have special features that make them interessting, same goes for certain environments, where some tools have great advantages. Getting a VA-Tool is dependant on a few factors, quality of the results, reports and ease of use, obviously. But then all companies are different, need to insert the data into other systems, have certain requirements, so no easy choice. As for the pentesting consultant, requirements are mostly the same, getting all vulns fast w/o killing any services or changing any data. For all purpose VA tools, the market leaders are all up to the job, with differences in handling, result and price. No open source tools are in this category, not since a year as you need to get the registered plugins to be up to date with nessus. BTW, the discussion about nessus and GPL. Things have changed a long time ago, as the scanning tool is only the messenger, the plugins are the message. So the whole fuss about nessus and GPL is outdated, as the plugins have left opensource a while ago. Not beeing able to update the plugins will kill all forks in no time, if they ever take off. You need a constant struggle, daily updates, quality control and large testbeds to maintain leetness. And then, if there are ppl willing to put up hard work to have a opensource VA scanner, why has renaud and friends had to do the whole show alone? Where were the ppl when everybody expected him to just do it and other companies sold off his work in appliances? So I for one can understand him very well. And yes, I have contributed. While back, not much. -- Mit freundlichen Grüßen Christoph Puppe Security Consultant We secure your business.(TM) _______________________________________________________ HiSolutions AG Phone: +49 30 533289-0 Bouchéstrasse 12 Fax: +49 30 533289-99 D-12435 Berlin Internet: http://www.hisolutions.com _______________________________________________________ ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Vuln Scanning software choices Tblinux (Nov 10)
- Re: Vuln Scanning software choices Brad Spangler (Nov 11)
- Re: Vuln Scanning software choices Barrie Dempster (Nov 11)
- Message not available
- Re: Vuln Scanning software choices Christoph Puppe (Nov 15)
- <Possible follow-ups>
- RE: Vuln Scanning software choices Michael Gargiullo (Nov 21)
- Re: Vuln Scanning software choices Christoph Puppe (Nov 23)