external security scan
Can anyone recommend an external scan tool or service that can be used as an as needed check between annual pen tests? I have looked into Qualys and Nessus and they seem a little expensive for what i'm trying to accomplish.
Andy
2020 Goals: 0 of 2 courses complete, 0 of 2 exams complete
2020 Goals: 0 of 2 courses complete, 0 of 2 exams complete
Comments
-
docrice
Member Posts: 1,706 ■■■■■■■■■■
Qualys and Tenable are probably priced the way they are because they are actively updating their vuln sigs, etc.. It's been forever since I've looked into OpenVAS, but I'm unsure how much it has matured and its signature quality. There's also Rapid7, although I haven't used their solution yet.
A vuln scan is something you generally don't want to do only once a year, let alone once a month. I'm a proponent of continuously scanning and detecting unexpected changes or new vulnerabilities in your environment as issues come up (like Shellshock and Heartbleed).Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/ -
NightShade03
Member Posts: 1,383 ■■■■■■■□□□
I'm sorry but this isn't an area where you want to "cheap out". Docrice has a great point that you shouldn't be doing this once a year, but a continuous thing (weekly if possible / automated). Every single product you look at in this space - Rapid7, whitehat, nessus, Qualys, etc - are all going to be very pricey. You can go the OpenVAS route, but you'll always be behind in signatures and latest features because it's open source. It's a good product but it semi-defeats the purpose of being up to date and scanning for the latest vulnerabilities.