RE: Vulnerability scanners

From: Ken Smith (ksmith@akibia.com)
Date: 03/27/03

  • Next message: Alvin Oga: "Re: Vulnerability scanners" 
    Date: Thu, 27 Mar 2003 16:08:00 -0500
From: "Ken Smith" <ksmith@akibia.com>
To: "Jeff Williams @ Aspect" <jeff.williams@aspectsecurity.com>, "Dan Lynch" <dan.lynch@placer.ca.gov>, <pen-test@securityfocus.com>

    Don't forget that Qualys is not a managed service. You still need to setup the scans, customize the reports, setup scheduling, and make sense of the resulting reports. It's not completely outsourcing, it's an ASP model.

     

    -----Original Message-----
    From: Jeff Williams @ Aspect [mailto:jeff.williams@aspectsecurity.com]
    Sent: Thursday, March 27, 2003 1:59 PM
    To: Dan Lynch; pen-test@securityfocus.com
    Subject: Re: Vulnerability scanners

    Let's assume that you're talking about 256 IPs (based on Qualys' published
    pricing), and you want to scan weekly. That's at least a day a week of
    effort for someone (probably more to generate a very nice report and
    summaries). The cost of a full-time sysadmin (including salary, benefits,
    office, etc...) probably costs well north of $100K. You'd have to include
    some equipment costs in there. So I doubt you could do it much cheaper.
    I think vulnerability scanning is a reasonable thing to outsource for
    companies that are not in the security or networking field already.

    Still, the incremental cost of their service must be far less than that.
    Obviously they've invested in a significant amount in their scanning
    engine and report structure. And there will be some maintenance and
    network costs to consider. But the cost of adding one more customer
    should be fairly small. If their prices don't start approaching this
    incremental cost, then there's an opportunity for someone else to enter
    the market and provide the service for cheaper. Maybe you can push them
    on this point.

    Whatever you decide, you should also be sure to consider the cost of
    interpreting the results and making the changes to fix any problems
    uncovered. Simply having the scan done for you does not relieve you of
    the responsibility of going through the findings carefully and keeping
    systems hardened.

    Please let the list know how this comes out as there are probably many
    companies wrestling with this decision now.

    --Jeff

    Jeff Williams
    Aspect Security, Inc.
    http://www.aspectsecurity.com

    ----- Original Message -----
    From: Dan Lynch
    To: pen-test@securityfocus.com
    Sent: Wednesday, March 26, 2003 6:46 PM
    Subject: Vulnerability scanners

    Greetings list,

    Yesterday some reps from Qualys came with a sales presentation for
    their QualysGuard appliance. I'd like to solicit your comments and
    opinions on that product. In particular, do you think it's $45,000 per
    year better than Nessus? (That's about the cost we'd face based on our
    IP address range.) They claim it costs as much in administration to run
    Nessus. Does Qualys' claim to more vulnerability signatures and
    faster/easier updates hold water?

    Any input you can offer is greatly appreciated.

    Dan Lynch
    Information Technology Analyst
    County of Placer
    Auburn, CA

    530/889-4222

    Bureaucracy: the art of making the possible impossible.

    top spam and e-mail risk at the gateway.
    SurfControl E-mail Filter puts the brakes on spam & viruses
    and gives you the reports to prove it. See exactly how much
    junk never even makes it in the door. Free 30-day trial:
    http://www.surfcontrol.com/go/zsfptl1

    top spam and e-mail risk at the gateway.
    SurfControl E-mail Filter puts the brakes on spam & viruses
    and gives you the reports to prove it. See exactly how much
    junk never even makes it in the door. Free 30-day trial:
    http://www.surfcontrol.com/go/zsfptl1

    top spam and e-mail risk at the gateway.
    SurfControl E-mail Filter puts the brakes on spam & viruses
    and gives you the reports to prove it. See exactly how much
    junk never even makes it in the door. Free 30-day trial:
    http://www.surfcontrol.com/go/zsfptl1

  • Next message: Alvin Oga: "Re: Vulnerability scanners"

    Relevant Pages

    • Re: Vulnerability scanners
      ... Let's assume that you're talking about 256 IPs (based on Qualys' published ... the incremental cost of their service must be far less than that. ... SurfControl E-mail Filter puts the brakes on spam & viruses ...
      (Pen-Test)
    • Re: Need help with form
      ... We will be entering the data by cost center, then by expense element. ... all of the user's tables into one common table, run queries and reports. ... I have made a totals query from the main input table and grouped by the cost ...
      (microsoft.public.access.formscoding)
    • RE: Vulnerability scanners
      ... CyberCop, Nessus, Foundscan, and now Qualys. ... for single system reports. ...
      (Pen-Test)
    • Re: Good book on Critical Path Management
      ... The major reason for the initial success of CPM/PERT in building ... Be sure any extra design or short run cost is charged to their ... Be sure and keep copies of the progress reports [which ...
      (rec.crafts.metalworking)
    • Re: Vulnerability scanners
      ... It's certainly not and end and a means to security, ... the incremental cost of their service must be far less than that. ... > top spam and e-mail risk at the gateway. ... > and gives you the reports to prove it. ...
      (Pen-Test)