Re: Vulnerability Assessment

From: US Infosec (usinfosec@gmail.com)
Date: Fri Jul 27 2007 - 03:22:00 EDT


I am not sure who told you that Foundstone can not scan public IP
Addresses, but they do and I use it for that purpose a lot. Also, as
I think I pointed out before, when you look at Foundstone be sure to
also check out Preventsys which improves the reporting quite a bit. I
have no vested interest in your decision and will just tell you that I
perform vulnerability assessments all the time and frequently will
scan customers that have Qualys and I end up finding stuff that it
didn't. So, again I would recommend that you do a proof of concept
with both in your environment and see which one produces the results
you are looking for.

One last thought. A lot of places want to "automate" vulnerability
assessments. You can schedule them but all of the rest of the process
really needs people involved. As others would probably agree,
relying on an automated process for vulnerability assessment and then
patch management can lead to some serious problems and a false since
of security.

Good Luck

On 7/25/07, Uzair Hashmi <uzair@kse.com.pk> wrote:
> Hello,
>
> First of all I would like to thank everyone in this list who replied to
> my message and gave enough different perspectives, I really appreciate
> it. Thankyou very much.
>
> Currently we are using Nessus, nmap, nc, Metasploit, and obviously
> ethereal (I cant breathe without it), for all the Vulnerability
> Assessment exercises. Security dept. need to entertain Operations dept.
> and Audit Dept. separately; Giving them compliance report with certain
> level of authenticity and trust, with specific solutions as well (taking
> care of change management process, also like what need to be updated and
> what not). We have 20,000 local IPs and 8 public. With current situation
> its quite difficult to manage the reporting and change tracking; the
> whole automation of this process, and giving the reasons to audit why
> and what we have communicated to. All records has to be maintained.
>
> I have evaluated almost all possible products / solutions / services,
> every person has suggested. For products like ISS, Retina, CoreImpact
> etc, are not feasible due to various technical and policy based reasons.
> Also some support issues in the operating city.
>
> We are not debating about what tools and processes can make up a
> credible infrastructure for security management. But to a very very
> specific area of vulnerability assessment, infact vulnerability
> assessment automation.
>
> Please give technical answers that can really help in taking the
> decision. The comparative answers I got from most persons in this list,
> doesn't satisfy at all, because I have no concern what market share and
> cliental one product have, etc. Also most of the persons comparing
> QualysGuard and Foundstone looks like that they worked or evaluated only
> one of the product, or got biased by some marketing strategy.
>
> Anyway, here is the cons of both products with vendor justifications:
>
> QualysGuard:
> Data is stored at qualys.com. The vendor mentioned that the data and
> maps stored are in encrypted format, encryption key is based on the
> users password. In case if you forget the password, a new account will
> be created, the old account with whatever data it holds is dumped /
> deleted. Whereas, Foundstone store all data on its local hard disk. The
> vendor is willing to sign-up and legal NDA for information disclosure.
>
> McAfee Foundstone:
> Cannot scan public IPs. It is quite possible to scan public IPs from
> DMZ, but again the Foundstone doesn't target those audience. Also while
> scanning from DMZ one cannot strictly check the firewalls and other
> devices configurations from alien perspective. QualysGuard is good at
> it.
>
> Note: Vulnerability database is updated locally before each new scan (if
> required), and hence need internet availability to download/update the
> database.
>
> Now the pros part, QualysGuard has far better reporting compared to
> Foundstone also from Retina and Nessus. Both QualysGuard and Foundstone
> support threat correlation (Foundstone comes with additional cost for
> this module, not by default). Both support risk management matrix, and
> role base user access control.
>
> I have not considered the scan speed and network utilization, of the two
> products while evaluating, so if someone can give his/her input in this
> regards, or any other technical consideration. I look forward and
> appreciate if someone can really help is selecting one from the two.
>
>
> Best Regards,
> Uzair
>
>
>
> _
> | | o
> _ _ _ _ _|_ __, , _ | | __ _|_
> / |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
> | | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
> /|
> \|
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:58 EDT