Home page logo
/

basics logo Security Basics mailing list archives

Re: Local Software Scanner for vulnerabilities
From: Pascal Heraud <pascal.heraud () laroueverte com>
Date: Wed, 31 Aug 2011 15:19:06 +0200

Thank you all for responses, a very interesting overview of tools.

I'd like to have an tool capable of quickly locally detecting any vulnerable package, not much. My need is so simple and solutions so complex or expensive, that I'm planning to make my own tool. The only point is to build a matching database between application names from CVEs and the ones from OS. I'll start with Gentoo / Debian as it's my first need.

I'll continue to use security scanners from time to time to have a full security assesment of servers.

Pascal.

On 08/31/11 13:37, Sheldon Malm wrote:
Pascal,

Full disclosure: I work for Rapid7.

NeXpose Community Edition is free and supported on Windows and Linux.  Definitely worth checking out.  If you need 
something that is commercially supported, there are several options for NeXpose that can scale to meet your needs at 
affordable price points.

I agree with Todd ... BigFix is a great product, but it solves a different needs, is agent-based, and is not what I would 
describe as affordable for what you're trying to accomplish.


I hope this helps.




Sheldon Malm
Senior Director, Security Strategy&  Alliances
Rapid7



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Todd Haverkos
Sent: Monday, August 29, 2011 9:44 AM
To: Pascal Heraud
Cc: security-basics () securityfocus com
Subject: Re: Local Software Scanner for vulnerabilities

Pascal Heraud<pascal.heraud () laroueverte com>  writes:

Hello,

I'm looking for a simple tool capable of :
- Listing local installed software (standard packages) for all linux
and windows systems.
- Downloading CVEs database that is free of charge
- Comparing local software and CVEs to issue security alerts.
- Simple to install, cross platforms
Tenable Nessus is just $1200 a year and hits all your points except
that wish for something free.  It's agentless so you wouldn't have to
install something on every machine--one scanner can be configured to
login with credentials to do full scanning of the entire environment,
and enumerate installed software on those boxes.  Their plugin
writeups all reference the relevant CVE's.

If free is important and it's a home network you're interested in
defending, they do offer a home feed for non-commercial use.  If
you're using it in a business of any sort, $1200 is not much to pay a
year.  If you're dealing with a non-profit, it's possible to get pro
feed at no cost
http://www.nessus.org/about-tenable/tenable-in-the-community

If you have more enterprise needs and a desire to see trending,
metrics, and remediation trends for vulnerabilities, reporting, and
control of several scanners in a segmented environment, and having
several users of the vulnerability tools with various privilege
levels, Tenable Security Center is the next step up.  It's licensed by
IP count.

BigFix as suggested by another poster has a rather different model --
that's an agent based solution that'll have pieces installed on every
machine.  You'll find that it's exceedingly non-free, and in fact will
probably cost at least double Security Center for a similar IP count,
and probably 100x a Nessus license depending on your IP count.  :-)
LanDesk and Shavlik are other competitors in that systems management
space.  BigFix can do a lot more than just find vulnerabilities--power
management, patch management (i.e. actually fixing the issues found),
and inventory management are among the itches these things scratch.

If your task is focused on finding vulenrabilities then tossing the
info over the wall to another group to address them, a vulnerability
scanning solution like Nessus or equivalent is likely what you want.

Best Regards,
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault