Re: Vulnerability scanners

Of course, also to consider, and it's somewhat refered to below in Jeff's reply: Scanning is only the beginning, and provides pointers as to what needs more attention. It's certainly not and end and a means to security, but a point of reference. Once the scan is done and it's reports submitted, then the real work begins. Security staff that merely scans and hands off a *potential* vuln report are not doing any real work. It's what they do after the report has been generated, if anything, that determines their worth, and the value of the scan in the first place.

Thanks,

Ron DuFresne

On Thu, 27 Mar 2003, Jeff Williams @ Aspect wrote:

> Let's assume that you're talking about 256 IPs (based on Qualys' published
> pricing), and you want to scan weekly. That's at least a day a week of
> effort for someone (probably more to generate a very nice report and
> summaries). The cost of a full-time sysadmin (including salary, benefits,
> office, etc...) probably costs well north of $100K. You'd have to include

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!


top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1