Home page logo
/

basics logo Security Basics mailing list archives

Re: Regularly Vulnerability Assessment using QualysGuard - Pro/Cons?
From: Artis Schlossberg <artis () infosec lv>
Date: Wed, 1 Feb 2012 17:21:42 +0100

If you are evaluating Nessus and Qualys, have a look at OpenVAS too.

Greenbone has an OpenVAS based appliance: http://greenbone.net/

--
Artis

On Fri, Jan 27, 2012 at 17:23, Wright, Joe # ATLANTA
<Joe.Wright () globalpay com> wrote:
Andre;

Qualys does store credentials in the cloud, however, they are also have serious security controls around the users 
information such as encryption and so forth. You may wish to look further into their security status and storage 
process. Alternately, you could use something like Nessus or Tenable Perimeter Security. It really depends on what 
you are trying to achieve. Qualys however tends to be expensive on initial cost and recurring costs.

Joe

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of André Gasser
Sent: Friday, December 16, 2011 1:55 PM
To: security-basics () securityfocus com
Subject: Regularly Vulnerability Assessment using QualysGuard - Pro/Cons?

Hello list,

I am writing regarding the commercial QualysGuard Vulnerability Management solution [1].

The last few days I was playing with the QualysGuard Vulnerability Management solution and I must say, that I really 
like the way it works.
It allows you to attach a Qualys box to a network segment and then run regular vulnerability scans inside that 
environment.

Now, I face the problem, that there seem to be many customer around which do not like the way Qualys handles 
authenticated scans. Since Qualys runs a cloud-based concept, all the access credentials required for doing 
authenticated scans, are stored in their data centers. For some customers, this is a killer criteria. I understand, 
that customers do not like the way it is. Since I am no Qualys expert, I would like to hear some opinions from you. 
If you use Qualys, how do you handle this situation? And if you do not use Qualys, what tools do you use to conduct 
regular vulnerability assessments? Do you use plain nessus or a tool like this?

I think Qualys is a very good tool for running vulnerability assessments on a regularly basis. To be honest, I am not 
aware of the effective costs of such a Qualys sucscriptions. But isn't that cheaper than sending an auditor to the 
customers site once a week? Especially if you need to conduct a lot of scans, sending auditors could become very 
expensive, doesn't it?

Because of the problem regarding authenticated scans, we are currently looking for products who do not store 
credentials in the cloud and which can be used to easily conduct regular vulnerability assessments.

I higly appreciate your comments on this.

Thanky you very much for your time,

André


[1] http://www.qualys.com/products/qg_suite/vulnerability_management/


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------




------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • Re: Regularly Vulnerability Assessment using QualysGuard - Pro/Cons? Artis Schlossberg (Feb 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]