From: Christoph Puppe (puppe@hisolutions.com)
Date: Tue Nov 15 2005 - 10:27:49 EST
Salve,
> Tblinux wrote:
>
>>I know that most if not all of you use or have used Nessus at some
>>point. I've been following the thread. Now that it appears that Nessus
>>is seriously ratcheting down support for independent consultants and
>>corporate / gov't users without a registered and paid for license what
>>scanning software are you considering? Has anyone done a *complete*
>>comparison of all of the scanning software out there and made a choice
>>based on the findings? If so what was it?
Yep, I've invested 3 months into a comparison of 10 VA Tools and published
the findings (german, pay per view link, sorry it's not open source, was a
*lot* of work and I have to feed my family):
http://www.heise.de/ix/iXInhalt/search.shtml?T=L%F6schersuche&button=Suchen
No english version out there, I'm still trying to sell the article. In case
you know an editor who could be interessted, please send me a PM.
Statistical basis for the comparison are appr. 1300 CVE which I have
manually verified. Target Network consisted of 19 Systems from 1996 Irix to
W2003-Server, Cisco, AIX, Linux, FreeBSD. Scanners were 4 appliances and 6
softwares.
To post a quick summary would be unfair, as you have to read the methology
to understand the results. And then all tools have special features that
make them interessting, same goes for certain environments, where some
tools have great advantages. Getting a VA-Tool is dependant on a few
factors, quality of the results, reports and ease of use, obviously. But
then all companies are different, need to insert the data into other
systems, have certain requirements, so no easy choice.
As for the pentesting consultant, requirements are mostly the same, getting
all vulns fast w/o killing any services or changing any data. For all
purpose VA tools, the market leaders are all up to the job, with
differences in handling, result and price. No open source tools are in this
category, not since a year as you need to get the registered plugins to be
up to date with nessus.
BTW, the discussion about nessus and GPL. Things have changed a long time
ago, as the scanning tool is only the messenger, the plugins are the
message. So the whole fuss about nessus and GPL is outdated, as the plugins
have left opensource a while ago. Not beeing able to update the plugins
will kill all forks in no time, if they ever take off. You need a constant
struggle, daily updates, quality control and large testbeds to maintain
leetness. And then, if there are ppl willing to put up hard work to have a
opensource VA scanner, why has renaud and friends had to do the whole show
alone? Where were the ppl when everybody expected him to just do it and
other companies sold off his work in appliances? So I for one can
understand him very well. And yes, I have contributed. While back, not much.
-- Mit freundlichen Grüßen Christoph Puppe Security Consultant We secure your business.(TM) _______________________________________________________ HiSolutions AG Phone: +49 30 533289-0 Bouchéstrasse 12 Fax: +49 30 533289-99 D-12435 Berlin Internet: http://www.hisolutions.com _______________________________________________________ ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:10 EDT