RE: Vulnerability scanners

By the way, I meant Qualys, not Qualysis....

Rafael Rosado, CISSP, CISA
IT Security Manager
Caribbean and Latin America Region (CALA) & Global Risk Assessment and Penetration Testing Lucent Technologies O
Corporate Security
Business Assurance and Risk Mitigation Services (B.A.R.M.S.) 2400 SW 145th Avenue - Room 1S056
Miramar, Florida 33027

+1 954-885-2176 (voice) *
+1 954-885-3861 (fax) * 
+1 954-648-3532 (mobile) or 9546483532@mobile.att.net (text message) *

This electronic mail message contains information belonging to Lucent Technologies, which may be confidential and/or legal privileged. The information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, printing, copying, distribution, or the taking of any action in reliance on the contents of this electronically mailed information is strictly prohibited. If you receive this message in error, please immediately notify us by electronic mail and delete this message.

-----Original Message-----
From: Rosado, Rafael (Rafael)
Sent: Thursday, March 27, 2003 4:46 PM
To: 'dan.lynch@placer.ca.gov'
Cc: 'pen-test@securityfocus.com'
Subject: RE: Vulnerability scanners

Dan,

I will not provide you with an endorsement of any product (commercial or freeware), but I can tell you that there are less expensive commercial solutions than Qualysis (not to say that the Qualysis product is not worth that cost, although it does seem steep... well, then you have Foundscan which is much more expensive). You probably need to bring several full evaluation copies in-house and run your own "head-to-head" comparisons.

If you dont have the time or resources to perform such an in-house evaluation, you could take your chances in relying on 3rd Party comparisons/evaluations (such as the one done my Information Security Magazine - http://www.infosecuritymag.com/2003/mar/cover.shtml and http://www.infosecuritymag.com/2003/mar/comparisonchart.shtml or Network World Fusion at http://www.nwfusion.com/reviews/2002/vulnerability0204.jsp).

You could always go with the limited budget solution - Nessus and "Almost Free" Tools (refer to Fred Langston's presentation - http://www.issa-ps.org/presentations/issaps-0303a.pdf).

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Each alternative has implementation, deployment and maintenance costs associated with it. Regarding the accuracy of each and how often these are updated with the latest attack signatures is debatable, although Nessus has been highly rated by many for accuracy and updated attack signature availabilty (it is considered one of the most widely accepted and recommended security tools available, along with NMAP which Nessus has embedded into it).

Most security professionals I have interacted with have mentioned that they use Nessus to complement the results from whatever commercial vulnerability scanners they are using.

Good Luck with your evaluation/decision.

Rafael Rosado, CISSP, CISA
IT Security Manager
Caribbean and Latin America Region (CALA) & Global Risk Assessment and Penetration Testing Lucent Technologies O
Corporate Security
Business Assurance and Risk Mitigation Services (B.A.R.M.S.) 2400 SW 145th Avenue - Room 1S056
Miramar, Florida 33027

+1 954-885-2176 (voice) *
+1 954-885-3861 (fax) * 
+1 954-648-3532 (mobile) or 9546483532@mobile.att.net (text message) *

This electronic mail message contains information belonging to Lucent Technologies, which may be confidential and/or legal privileged. The information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, printing, copying, distribution, or the taking of any action in reliance on the contents of this electronically mailed information is strictly prohibited. If you receive this message in error, please immediately notify us by electronic mail and delete this message.

-----Original Message-----
From: Rob Shein [mailto:shoten@starpower.net] Sent: Thursday, March 27, 2003 3:34 PM
To: 'Dan Lynch'; pen-test@securityfocus.com Subject: RE: Vulnerability scanners

I'd be astounded if it took that much money to administer Nessus. I run nessus, and it's so little trouble that I don't think I've spent 60 minutes administering/installing/maintaining it all year so far. Every time I run it, I do the check for updates (and heck, you can set that as a cron job if you really want), and aside from that I've had no trouble with it whatsoever. I cannot believe that Qualys has vulnerability signatures faster than Nessus, at least by any reasonable amount of time...I've seen NASL plugins out within hours of the vulnerability being made public. Easier updates than Nessus? Um..."nessus-update-plugins"...wait about 20-90 seconds...done! What's so hard about that? And I can write my own NASL plugins for Nessus if I so desire (and I have), which I cannot do with Qualys.

Finally, a company I worked for tested Qualys once, and they failed to find some of the more important problems with the NT box we stood up outside of our firewall. This was years ago, and I'm sure things have improved (or so I hope) but it was still a powerful thing to see first hand. In the end, we went with Nessus, and never had a problem after that.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> -----Original Message-----
http://www.surfcontrol.com/go/zsfptl1

top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.surfcontrol.com/go/zsfptl1

top spam and e-mail risk at the gateway. SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. See exactly how much junk never even makes it in the door. Free 30-day trial: http://www.surfcontrol.com/go/zsfptl1 Received on Thu Mar 27 17:12:38 2003