RE: Best Commercial Vulnerability Scanner

["Andy Cuff (Talisker)" <SecurityLists () securitywizardry com>]

Hi Sheldon,
Fantastic, I can't see how we missed Vulnerability Management as a category!
It's also refreshing for a vendor to name competitors products.
Most of the products mentioned were in various other scanner categories, so
I've also added them here:
http://www.networkintrusion.co.uk/index.php/component/mtree/Scanning-Product
s/Vulnerability-Management.html

If anyone can think of any other vulnerability management tools please let
me know.  To clarify, I wouldn't include Microsoft WSUS or SMS in this
category as (IMHO) all products should have provision to update and patch in
this day and age.  Though I'm open minded

Regards


Andy Cuff
Computer Network Defence Ltd
www.Networkintrusion.co.uk

> -----Original Message-----
> From: Sheldon Malm [mailto:smalm () ncircle com] 
> Sent: Friday, August 15, 2008 10:30 PM
> To: Andy Cuff (Talisker)
> Cc: pen-test () securityfocus com; Danux; 
> security-basics () securityfocus com
> Subject: RE: Best Commercial Vulnerability Scanner
>
> Andy: have you created a sub-category for Vulnerability 
> Management solutions that offer integrated, dynamic web 
> application scanning?
>
>  
>
> I’ll use Gartner's May 2008 ratings for “Vulnerability 
> Assessment” to frame the VM space.  The following vendors 
> from Gartner’s 5 categories have dynamic Web Application 
> scanning capabilities built into their products today:
>
>  
>
> -        Strong Positive: nCircle
>
> -        Positive: eEye; Rapid7
>
>  
>
> Others in the space are likely to follow, but this is it 
> today.  (Today, as in August 15th).
>
>   
>
>  
>
> Here is Gartner’s MarketScope, for anyone who’s interested:
>
>  
>
>  
>
>  
>
> I hope this helps.
>
>  
>
>  
>
> Sheldon Malm
>
> Director
>
> Security Research and Development
>
> nCircle Network Security
>
>  
>
> http://blog.ncircle.com <http://blog.ncircle.com/>  
>
>  
>
>  
>
>  
>
> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Andy Cuff 
> (Talisker)
> Sent: Friday, August 15, 2008 5:00 PM
> To: 'Danux'; security-basics () securityfocus com
> Cc: pen-test () securityfocus com
> Subject: RE: Best Commercial Vulnerability Scanner
>
>  
>
> Hi Danux,
>
> We've spent sometime breaking down Vulnerability scanners 
> into a variety of
>
> sub categories depending on what you need them to do, from 
> your product
>
> choice you appear to be looking for a Website Scanner, our 
> breakdown is as
>
> follows:
>
>  
>
> At the top of the tree is Distributed vulnerability scanners 
> which generally
>
> serve enterprises or managed services where you need to distribute the
>
> scanning engines due to bandwidth constraints etc
>
> We have listed them here
>
> http://www.networkintrusion.co.uk/index.php/component/mtree/Sc
> anning-Products/Distributed-Scanners.html
>
>  
>
>  
>
> Beneath this would come your network vulnerability scanners, 
> such as Nessus
>
> or Hailstorm (Cenzic)
>
> http://www.networkintrusion.co.uk/index.php/component/mtree/Sc
> anning-Products/Network-Scanners.html
>
>  
>
>  
>
>  
>
> Then you start to get specialised such as with web testing 
> with products
>
> like your Acunetix product, which I just added to the listing 
> along with SPI
>
> Dynamics which I now understand to be WebInspect after it's 
> acquisition by
>
> HP
>
> http://www.networkintrusion.co.uk/index.php/component/mtree/Sc
> anning-Product
>
> s/Website-Scanners.html
>
>  
>
> Database Scanners
>
> http://www.networkintrusion.co.uk/index.php/component/mtree/Sc
> anning-Product
>
> s/Database-Scanners.html
>
>  
>
> Watchfire has been acquired by IBM, blue rinsed and 
> integrated into Rational
>
> software quality management solutions.  I can't find much 
> reference to it on
>
> the IBM site
>
>  
>
> We also have categories for 
>
> Active and Passive OS Fingerprinting tools such as nmap and P0F
>
> Network enumerators
>
> Network mappers (enterprise)
>
> Vulnerability Exploiters such as Metasploit and Core
>
>  
>
> The site is a new reincarnation of our old site, some of the 
> listings are
>
> dated and I need people to rate and review the products.  We 
> hope to launch
>
> it properly once it's finished sometime in September
>
>  
>
> Regards    
>
>  
>
> Andy Cuff
>
> Computer Network Defence Ltd
>
> www.networkintrusion.co.uk
>
>  
>
>  
>
>  
>
>  
>
> >
>
> > We are doing vulnerability testing using SPI Dynamics with
>
> > Mercury Quality Center to defect management but this tool is
>
> > too expensive
>
> > (SPI) and also when using with MQC it is too slow.
>
> >
>
> > In the past i have used Acunetix, i think is faster than SPI
>
> > Dynamics but i dont know about the price.
>
> >
>
> > do you know if Gartner, personal experience or other source
>
> > where i can have a comparison between those kind of products?
>
> > I mean like SPI Dynamics, WatchFire, Acunetix, Cenzic, so on.
>
> >
>
> > We are looking cheaper costs, better performance and good
>
> > vulnerability defect management.
>
> >
>
> > Thanks a lot.
>
> >
>
> > --
>
> > Danux, CISSP, OSCP, ISO27001
>
> >
>
> > --------------------------------------------------------------
>
> > ----------
>
> > This list is sponsored by: Cenzic
>
> >
>
> > Top 5 Common Mistakes in
>
> > Securing Web Applications
>
> > Get 45 Min Video and PPT Slides
>
> >
>
> > www.cenzic.com/landing/securityfocus/hackinar
>
> > --------------------------------------------------------------
>
> > ----------
>
> >
>
> >
>
> >
>
> >
>
>  


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------