Vulnerability Scanning services?

cwhitmore · 2016-08-08T12:45:41.000Z

We’ve been using a third party to run quarterly vulnerability scans using Nessus, but they’ve stopped offering the service.

Can someone suggest a third party for vulnerability scanning?

dsentelle · 2016-08-08T12:56:04.000Z

Qualys? What are you looking for, just PCI Compliance vulnerability assessments?

cwhitmore · 2016-08-08T13:02:32.000Z

David,

I’d like to get the same type of scan we’re getting from Nessus (threats based on severity; crtical, high, medium, etc…), a basic explanation / type of threat and possible solution.

I haven’t tried Qualys, but I looked at their reports and they look to be easier to read then the Nessus.

thanks,

Carlton.

taurus078640 · 2016-08-08T13:04:21.000Z

Nessus is a fairly easy security tool to get your head around…why not do the scans yourself, save the business some money and then ask for that money as a pay rise

selorex · 2016-08-08T13:05:31.000Z

I can do it for ya! XD

If you’re looking for an ASV, you’ll surly be able to find one here. PCI Security Standards Council – Protect Payment Data with Industry-driven Security Standards, Training, and Programs

You’re wanting to test it yourself? Sorry, I didn’t catch that. Here’s a few… OpenVAS , IronWASP , Intruder , or good 'ol Kali Linux .

cwhitmore · 2016-08-08T13:10:58.000Z

Selorex,

Send me your contact info via private message with some info about your company and what scanner you use for VS.

thanks,

Carlton.

cwhitmore · 2016-08-08T14:08:58.000Z

Taurus07,

I checked the Nessus site (Tenable), but for a pro license it was like $2100. Is there a community version?

stevenflick2694 · 2016-08-08T15:36:16.000Z

I’ve been working to get a vulnerability scanner as well, and I have a few questions that may help find the best solution.

How many systems are you looking to scan?

Are you still looking to do this quarterly?
Will the systems be internal or external (public ip address space)?

Is one of the driving factors PCI compliance (approved scanning vendor)?

Will this vulnerability data be integrated into any other tools (risk management, compatibility, SIEM)?

zuphzuph · 2016-08-08T16:51:52.000Z

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

cwhitmore · 2016-08-08T17:01:29.000Z

guystevenl,
We need to scan about 30 WAN IP addresses, quarterly, external. We’re not required to run these scans. It’s more for internal use.
The data won’t be integrated into other tools.

krzysztofradomski · 2016-08-08T18:21:32.000Z

External = Qualys.

On-premise, do-it-yourself = OpenVAS.

cwhitmore · 2016-08-08T19:06:02.000Z

I contacted Nessus and it looks like they don’t charge for non-profits.

stevenflick2694 · 2016-08-08T19:46:01.000Z

That is news to me. I’ve always liked using Nessus, and never really had any problems with it.

I decided to give Nexpose a shot recently, and thought it did a good job as well.

Nexpose has a free community version for up to 32 ip’s. The interface is pretty easy to work with, and you can create an easy set and forget schedule. Reports will show past results if you are interested in trending as well.