RE: Vulnerability scanners

From: Rob Shein (shoten@starpower.net)
Date: 03/27/03

  • Next message: Rosado, Rafael (Rafael): "RE: Vulnerability scanners"
    From: "Rob Shein" <shoten@starpower.net>
    To: "'Jeff Williams @ Aspect'" <jeff.williams@aspectsecurity.com>, "'Dan Lynch'" <dan.lynch@placer.ca.gov>, <pen-test@securityfocus.com>
    Date: Thu, 27 Mar 2003 16:31:54 -0500
    
    

    Why do you need a nice weekly report? Is upper management going to want to
    see this report every single week, and if they do, why can't it be
    templated? Keep in mind, Qualys won't do anything for you besides run the
    scan and give you the report. Summaries are interpretive, and best done by
    someone who knows the network (in other words, you'll be doing them either
    way). And finally, even considering it taking an entire 24 hours to scan a
    class C range, is it really going to take four entire days to
    digest/collate/polish up the results, especially as the results will likely
    not have changed dramatically in the past week's time? I seriously question
    the notion that nessus scanning of a class C on a weekly basis is a
    full-time job.

    > -----Original Message-----
    > From: Jeff Williams @ Aspect
    > [mailto:jeff.williams@aspectsecurity.com]
    > Sent: Thursday, March 27, 2003 1:59 PM
    > To: Dan Lynch; pen-test@securityfocus.com
    > Subject: Re: Vulnerability scanners
    >
    >
    > Let's assume that you're talking about 256 IPs (based on
    > Qualys' published pricing), and you want to scan weekly.
    > That's at least a day a week of effort for someone (probably
    > more to generate a very nice report and summaries). The cost
    > of a full-time sysadmin (including salary, benefits, office,
    > etc...) probably costs well north of $100K. You'd have to
    > include some equipment costs in there. So I doubt you could
    > do it much cheaper. I think vulnerability scanning is a
    > reasonable thing to outsource for companies that are not in
    > the security or networking field already.
    >
    > Still, the incremental cost of their service must be far less
    > than that. Obviously they've invested in a significant amount
    > in their scanning engine and report structure. And there
    > will be some maintenance and network costs to consider. But
    > the cost of adding one more customer should be fairly small.
    > If their prices don't start approaching this incremental
    > cost, then there's an opportunity for someone else to enter
    > the market and provide the service for cheaper. Maybe you
    > can push them on this point.
    >
    > Whatever you decide, you should also be sure to consider the
    > cost of interpreting the results and making the changes to
    > fix any problems uncovered. Simply having the scan done for
    > you does not relieve you of the responsibility of going
    > through the findings carefully and keeping systems hardened.
    >
    > Please let the list know how this comes out as there are
    > probably many companies wrestling with this decision now.
    >
    > --Jeff
    >
    >
    > Jeff Williams
    > Aspect Security, Inc.
    > http://www.aspectsecurity.com
    >
    >
    > ----- Original Message -----
    > From: Dan Lynch
    > To: pen-test@securityfocus.com
    > Sent: Wednesday, March 26, 2003 6:46 PM
    > Subject: Vulnerability scanners
    >
    >
    > Greetings list,
    >
    > Yesterday some reps from Qualys came with a sales
    > presentation for their QualysGuard appliance. I'd like to
    > solicit your comments and opinions on that product. In
    > particular, do you think it's $45,000 per year better than
    > Nessus? (That's about the cost we'd face based on our IP
    > address range.) They claim it costs as much in administration
    > to run Nessus. Does Qualys' claim to more vulnerability
    > signatures and faster/easier updates hold water?
    >
    > Any input you can offer is greatly appreciated.
    >
    >
    >
    > Dan Lynch
    > Information Technology Analyst
    > County of Placer
    > Auburn, CA
    >
    > 530/889-4222
    >
    >
    > Bureaucracy: the art of making the possible impossible.
    >
    >
    > top spam and e-mail risk at the gateway.
    > SurfControl E-mail Filter puts the brakes on spam & viruses
    > and gives you the reports to prove it. See exactly how much
    > junk never even makes it in the door. Free 30-day trial:
    http://www.surfcontrol.com/go/zsfptl1

    top spam and e-mail risk at the gateway.
    SurfControl E-mail Filter puts the brakes on spam & viruses
    and gives you the reports to prove it. See exactly how much junk never even
    makes it in the door. Free 30-day trial:
    http://www.surfcontrol.com/go/zsfptl1

    top spam and e-mail risk at the gateway.
    SurfControl E-mail Filter puts the brakes on spam & viruses
    and gives you the reports to prove it. See exactly how much
    junk never even makes it in the door. Free 30-day trial:
    http://www.surfcontrol.com/go/zsfptl1


  • Next message: Rosado, Rafael (Rafael): "RE: Vulnerability scanners"

    Relevant Pages

    • GAO Blasts Weapons Budget; Cost Overruns Hit $295 Billion
      ... "The report details such projects as the Navy's $5.2 billion Littoral ... construction of the planned third and fourth ships by Lockheed Martin ... GAO Blasts Weapons Budget ... Cost Overruns Hit $295 Billion ...
      (sci.military.naval)
    • Re: Please help. I am being sued through a court. How do I respond?
      ... Admittedly a lawyer could easily cost you 5k or so (if the case settled ... The court may ask both parties to consider mediation again. ... we don't think that a contract still existed after.. ... almost every individual costing of their surveyor's report. ...
      (uk.legal)
    • Re: Vulnerability scanners
      ... Rob Shein wrote: ... >> more to generate a very nice report and summaries). ... SurfControl E-mail Filter puts the brakes on spam & viruses ...
      (Pen-Test)
    • Buckwheat LIED About BuckwheatCare, HHS Withheld Document!
      ... A published report saying the Obama administration knew that its ... healthcare proposal would increase costs instead of reducing them is ... that this bill was going to cost a lot more than people were saying,? ...
      (alt.politics)
    • Re: There Is No Crisis in Social Security - Common Sense Says No to Privatization
      ... Under the intermediate assumptions, OASDI cost will increase more rapidly than tax income between about 2010 and 2030, due to the retirement of the large baby-boom generation. ... After 2030, increases in life expectancy and relatively low fertility rates will continue to increase Social Security system costs relative to tax income, but more slowly. ... For the 75-year projection period, the actuarial deficit is 1.95 percent of taxable payroll, 0.06 percentage point smaller than in last year's report. ...
      (soc.retirement)