security audit software?
Hello, I was just told by my manager that I am to look into some security audit software. The goal of the software would be for us, who don't specialize in security nor pen-test, would be able to scan the network and it could tell us our problems. Preferably be able to update anything we need, but at the same time we could say "ignore lack of patches on our servers". Also, by the sounds of it, he would like it to be reputable and able to write a report, such that we could hand that off to an official pen-tester or anyone else we may need to hand it off to. I have run across software called nessus and OpenVas. Seems to be the best but one is opensourced while the other is not. Which means we'd be looking more towards nessus so it could do most of the dirty work for us. Does anyone have any personal experience with any audit software or know of which are better than others? Thanks in advance.
2013 Goals: [x] Sec+ [x] CCNA []Proj+ []OSCP
2013 Stretch Goals: [] CCNA-Sec []Land Sec job
2013 Stretch Goals: [] CCNA-Sec []Land Sec job
Comments
-
paul78 Member Posts: 3,016 ■■■■■■■■■■I like Nessus and seems to do a decent job. In our enterprise, we use Qualsys.
Also, one other consideration is to use an outside provider. The services by Dell/Secureworks is relatively affordable. -
tpatt100 Member Posts: 2,991 ■■■■■■■■■□I used GFI Languard a while back and it was pretty easy to use, deploy, update. Generates reports and supports patching Windows systems. Not sure how it is now a days though.
-
yoshiiaki Member Posts: 48 ■■□□□□□□□□Oh wow, quite a diverse selection. Thank you guys. I'll take a look into all of those and see what best suits our needs.2013 Goals: [x] Sec+ [x] CCNA []Proj+ []OSCP
2013 Stretch Goals: [] CCNA-Sec []Land Sec job -
ChooseLife Member Posts: 941 ■■■■■■■□□□Nessus / OpenVAS / Qualys
You may want to evaluate several options and see which product best suites your needs in terms of reports, price model, etc“You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896
GetCertified4Less - discounted vouchers for certs -
rwmidl Member Posts: 807 ■■■■■■□□□□Without knowing your infrastructure, Nessus probably would be a good bet. If you guys are looking to audit workstations/servers and you are an all Windows environment you can look at either Microsoft Baseline Security Analyzer (MBSA) and/or Microsoft Security Compliance Manager (SCM).CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS