RE: Qualys

From: Michael Gargiullo (mgargiullo@pvtpt.com)
Date: Wed Feb 08 2006 - 08:13:30 EST


________________________________________
From: Mark Teicher [mailto:mht3@earthlink.net]
Sent: Wednesday, February 08, 2006 7:49 AM
To: prasanna.mukundan@wipro.com; dmz@dmzs.com; usinfosec@gmail.com
Cc: mht3@earthlink.net; Michael Gargiullo; slebdawg@gmail.com
Subject: RE: Qualys

It really depends on how a particular corporation or consulting service is going to utilize the data.  I heard a recent story of a particular security assessment that a certain network scanning device generated over 18,000 pages of vulnerability data, and the consultants provided only two recommendations to their particular customer.  The lessons learned from this experience: 1. Define the goals of the engagement very clearly. 2. Define the deliverables very clearly 3. Expect to do lots of manual validation 4. If it takes more than a month to parse and generate a report, one clearly does not know how to use the tools properly or how to extract the correct data.

-----Original Message-----
From: prasanna.mukundan@wipro.com
Sent: Feb 8, 2006 6:55 AM
To: dmz@dmzs.com, usinfosec@gmail.com
Cc: mht3@earthlink.net, mgargiullo@pvtpt.com, slebdawg@gmail.com
Subject: RE: Qualys

There was a query I had initiated on qualysguard sometime back(late last year) on the list, and quite frankly, the replies generated showed qualysguard in a poor light. As did our own assesment of it. One big problem we saw (and someone else on the list confirmed) was that qualys does have access to your vulnerability data - as in read/view capability - one of the mails that came back to us(from qualys personnel) asked if we wanted help on an aborted scan.
 
There were a host of other problems with its performance - the scanning being very very slow, b'cos of it happening via the internet. So, if you're looking at a huge network, its going to be slow. We benchmarked it against Nmap, and frankly it was a no-contest.
 
regards,
Prasanna

________________________________________
From: David M. Zendzian [mailto:dmz@dmzs.com]
Sent: Wed 2/8/2006 11:35 AM
To: US Infosec
Cc: pen-test@securityfocus.com
Subject: Re: Qualys
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

And just for the lists knowledge, what products did you find that could
deliver on a class A assessment?

BTW, I know of several national and multi-national financial
institutions that depend on n-circle, doing both regular sweeps around
their network as well as tying into their dhcp servers to scan hosts as
they "go-live".

dmz

US Infosec wrote:

>nCircle came to do a demonstration for my team once.  I work in an
>enviornment that has a full routable class A.   I asked the technical
>guy there if they had ever deployed their appliances in a Class A
>enviornment and he said sure we have supported clients with 60K hosts.
>   That was the end of our consideration.
>
>gl
>
>On 2/6/06, Mark Teicher <mht3@earthlink.net> wrote:

>
>>nCircle has been around for quite some time.  They may no tbe classified as vulnerability scanner as Qualys is defined as, but they are in the same market segment.
>>
>>-----Original Message-----
>>   
>>
>>>From: Michael Gargiullo <mgargiullo@pvtpt.com>
>>>Sent: Feb 6, 2006 9:43 AM
>>>To: pen-test@securityfocus.com
>>>Subject: RE: Qualys
>>>
>>>To be honest, I had never heard of nCircle before your post. Googling
>>>for "network security scanner", nCircle wasn't found within the first 20
>>>pages. Granted, that search came up with well over 1.6 million hits.
>>>When I searched specifically for nCircle within those results, it only
>>>came up with 14,000 hits.  Qualys came up with 71,500 hits. Eeye Retina
>>>scanner came up with 163,000. Nessus came up with 361,000 hits.
>>>
>>>Not that I can speak for them, but that's probably why it didn't show.
>>>
>>>Now, go through, and check pricing on those scanners (commercial support
>>>options).  I will say for a corporation, the reporting options for
>>>nCircle look interesting.
>>>
>>>-Mike
>>>
>>>-----Original Message-----
>>>From: slebdawg@gmail.com [mailto:slebdawg@gmail.com]
>>>Sent: Saturday, February 04, 2006 12:26 PM
>>>To: pen-test@securityfocus.com
>>>Subject: RE: Qualys
>>>
>>>I've worked in Info Security for one of North America's largest banks
>>>for over 8 years.  Where is nCircle on this list? Based on your list of
>>>important criteria, we've found nCircle to not only fit the bill --
>>>they've outperformed Qualys will allowing our organization to maintain
>>>control of our data.  I can't tell you how many initiatives we've
>>>started because of the valuable information that we get from our IP360
>>>implementation.  In many of these cases, we found opportunities based on
>>>looking and thinking about the data in a very innovative way.  If
>>>someone else were hosting our solution, we would never have the
>>>intelligence in-house to find innovative ways to use this data.
>>>
>>>Reading your article, it makes me wonder if you work for Qualys.  I am
>>>truly boggled that you didn't include nCircle on your list ... even if
>>>they didn't turn out to be your vendor of choice, their absence makes me
>>>suspicious.
>>>
<snip>

I agree with your 4 points completely.

The statement "I heard a recent story of a particular security assessment that a certain network scanning device generated over 18,000 pages of vulnerability data, and the consultants provided only two recommendations to their particular customer. " Could be completely valid. Obviously, we don't have all the information, but we've been involved with extremely large networks where 80%+ of the computers scanned in the class B, had the same vulns. I agree, the reporting should be able to tell us that. There should be a valid and USEFUL summary as well.

-Mike

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:28 EDT