Re: Regularly Vulnerability Assessment using QualysGuard - Pro/Cons?



If you are evaluating Nessus and Qualys, have a look at OpenVAS too.

Greenbone has an OpenVAS based appliance: http://greenbone.net/

--
Artis

On Fri, Jan 27, 2012 at 17:23, Wright, Joe # ATLANTA
<Joe.Wright@xxxxxxxxxxxxx> wrote:
Andre;

Qualys does store credentials in the cloud, however, they are also have serious security controls around the users information such as encryption and so forth. You may wish to look further into their security status and storage process. Alternately, you could use something like Nessus or Tenable Perimeter Security. It really depends on what you are trying to achieve. Qualys however tends to be expensive on initial cost and recurring costs.

Joe

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of André Gasser
Sent: Friday, December 16, 2011 1:55 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Regularly Vulnerability Assessment using QualysGuard - Pro/Cons?

Hello list,

I am writing regarding the commercial QualysGuard Vulnerability Management solution [1].

The last few days I was playing with the QualysGuard Vulnerability Management solution and I must say, that I really like the way it works.
It allows you to attach a Qualys box to a network segment and then run regular vulnerability scans inside that environment.

Now, I face the problem, that there seem to be many customer around which do not like the way Qualys handles authenticated scans. Since Qualys runs a cloud-based concept, all the access credentials required for doing authenticated scans, are stored in their data centers. For some customers, this is a killer criteria. I understand, that customers do not like the way it is. Since I am no Qualys expert, I would like to hear some opinions from you. If you use Qualys, how do you handle this situation? And if you do not use Qualys, what tools do you use to conduct regular vulnerability assessments? Do you use plain nessus or a tool like this?

I think Qualys is a very good tool for running vulnerability assessments on a regularly basis. To be honest, I am not aware of the effective costs of such a Qualys sucscriptions. But isn't that cheaper than sending an auditor to the customers site once a week? Especially if you need to conduct a lot of scans, sending auditors could become very expensive, doesn't it?

Because of the problem regarding authenticated scans, we are currently looking for products who do not store credentials in the cloud and which can be used to easily conduct regular vulnerability assessments.

I higly appreciate your comments on this.

Thanky you very much for your time,

André


[1] http://www.qualys.com/products/qg_suite/vulnerability_management/


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------




------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------