Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerability Assessment Scanners Comparison

Posted by Hemos on from the interesting-comparisons dept.

Roberto writes "Network Computing is running a comparison between various commercial and vulnerability assessment scanners - and open-source wins, thanks to Nessus, even though none of the tools could do spot all the vulnerabilities that were present in the test lab."

16 of 36 comments (clear)

  1. Version numbers and updates? by shippo · · Score: 2
    Where are the version numbers, particularly of Nessus. How are we to know that they tested the current version, or a version bundled with a 6-month old Linux distribution?

    One other valid point missed in the review is the frequency of product updates. What mechanisms exist to check for newly discovered vunerabilities? Nessus can be made to automatically install updated scripts, but I have absolutely no idea of the other products reviewed. An out of date security tool can be worse than no security tool at all, as it installs a false sense of confidence. Would you put all your trust in a 1-year-old security scanner - I wouldn't.

  2. Re:Vulnerability Scanner Article Well Worth Readin by mjh · · Score: 4
    The comparison is quite detailed, considering the fact that it appears in a magazine that can be bought on the newsstand.

    The most interesting part that I find about this entire article is the fact that this magazine (which I subcribe to) is a free subscription. The magazine doesn't make any money off of subscriptions. The magazine effectively makes all of its money from advertisements. The fact that they would review a opensource competitor is surprising in itself. The fact that they gave it the nod, is going to do nothing but hurt their advertising deals with the commercial products that they reviewed.

    Of course, that's only one way to look at it. The other way to look at is that they just effectively said that if you want to get all your vulnerabilities detected, you need to buy at least one thing. Combine that one thing with the open source product, and you've got a complete solution.

    Is the glass half empty, or half full? Hmmm...

    --
    Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
  3. Almost impossible to do it right by scott1853 · · Score: 5

    It would take a well trained, intelligent human being to discover security flaws. If your need for security is more than the average home-based internet surfer running ZoneAlarm, then you should hire a 3rd-party company specializing in security to evaluate your system.

    I would use scanners only to perform automated checks to make sure that known holes have not been opened after the initial check. Periodically, the 3rd-party company should be hired to come back and recheck the system for old holes as well as new ones that have been discovered since the previous system test.

    1. Re:Almost impossible to do it right by reinke · · Score: 2
      While true that automated checks don't constitute a complete pen, complete pen tests are expensive, while automated checks are quite cost effective. I'd much rather see someone run at least a good automated audit of their site than no audit at all.

      What's sad: Every day we (www.securityspace.com) have examples of customers that KNOW they have high risk security vulnerabilities (holes that would get their box rooted according to Nessus), and don't even bother to pay $50 for an automated audit. It's this type of "the net is so big, and I really won't be hit by a break-in" mentality that will

      • move the major banks/credit card companies to introduce security requirements of their on-line merchants (the way I believe Visa will be forcing firewalls as a requirement)
      • force government legislation on security policies and practices (I believe Spain is already moving there on this)

      I'd almost say site operators are getting what they deserve when they are broken into, except for the fact that it is the visitor of the site these days that ends up paying for it...

  4. Vulnerability Scanner Article Well Worth Reading by dave_aiello · · Score: 5
    The Network Computing Vulerability Assessment Scanner Article is very well written and is particularly helpful to server administrators who have not focused on security issues. I think the Slashdot article could be improved by citing the following passage from the review:
    We set up 17 of the most common and critical vulnerabilities out there, and not one product detected them all.... The closest was the Nessus Security Scanner, which nailed 15 of the 17. But even one hole is too many. Because all the products failed to identify key vulnerabilities, none of them received our Editor's Choice award.
    The comparison is quite detailed, considering the fact that it appears in a magazine that can be bought on the newsstand.

    It may be a bit unfair to take the paragraph I cited out of context because the article goes on to do a good job of weighing the individual pros and cons of the highly rated scanners. Nevertheless, I think the article's key finding is that even the best of the tools they evaluated failed to catch all of the vulnerabilities that they had intentionally installed. Every opportunity should be taken to emphasize this point to the readers.
    --

    Dave Aiello

    --
    -- Dave Aiello
  5. wonder if by fawadhalim · · Score: 2

    nessus-update-plugins would've helped. My guess is that these people used the stock nessus installation without retrieving the latest scans.

    The two vulnerability missed by nessus are at

    http://cgi.nessus.org/plugins/dump.php3?id=10318 and

    http://cgi.nessus.org/plugins/dump.php3?id=10260

    Again, I'm no security expert, but these people should've at least updated the list.

  6. Get a sense of perspective. by Anonymous Coward · · Score: 2

    The whole point of the test was to see which scanners could be used for proper security tests.

    Closed source software showed itself to be just as good, or in this case poor, as open source.

    The "only open source can be trusted" argument only holds up if everyone looks at all the source, which rarely happens except in the luckiest projects.

    I would trust a competently written and tested closed source product more than a crappy open source one any day. It is a matter of quality. If an open source product is better, or as good as a commercial one then I would use that instead.

    Ideology should never be allowed to get in the way of practical concerns, doing so is hjust another way to shoot yourself in the foot.

  7. Re:Vulnerability Scanner Article Well Worth Readin by sphealey · · Score: 2

    _Network Computing_ is one of the good guys out there. Since Novell lost its dominance in corporate networking, _NC_ hasn't had a majority of its ad pages from any one vendor (that may or may not correlate to ad revenue). They seem to be pretty vendor neutral and willing to call shots as they see 'em. They have certainly p**sed off Cisco several times in the last year, which takes some courage. This is one of the few trade rags I trust.

    sPh

  8. Re:Not exactly by nyet · · Score: 2

    Commercial scanners are not produced by "a person off the street". They're produced by professionals that work for companies that have a significant motive for ensuring the accuracy of their products: money

    You poor, misguided, niave thing. Have you ever worked for a "company" that has "professional programmers"? Let me give you a clue. Programmers are programmers. Regardless of whether they work for a "company" or are donating time to an Open Source project, they are just as prone to stupidity as the next guy.

    Commercial products, contrary to your utopian notion, are produced by professional marketing departments that have a significant motive for ensuring that the average consumer THINKS their product is worth its cost. Accuracy, efficiency, function, and stability have nothing to do with it - the Consumer, more often than not, is never in a position to objectively judge the quality of a product.

  9. They missed a very important point - by djrogers · · Score: 4

    Using a proprietary (closed source) vulnerability scanner is sort of equivalent to asking a person off the street to give your home a security check. Do you know what internal code audits are done on the software? What sort of 'reporting' it may do during 'updates'? I don't mean to sound too paranoid, but all it takes is one programmer...

    Another, more down to earth point is the ability to write your own checks for the scanner - are you stuck with paying maintenance fees to a company for updates of dubios quality, or can you go out and write them yourself?

    --
    Think outside the... Hey, where'd the friggin' box go?
  10. Nessus author will be present at OSDEM by raphinou · · Score: 2

    Renaud Deraison and Fyodor will be present, and this could be a subject of discussion. http://www.osdem.org

  11. Where's Cisco Netsonar? by Jacco+de+Leeuw · · Score: 2
    Great to see Nessus and the SATAN off-springs included, but it seems they forgot Cisco's Netsonar.

    Jacco
    ---
    # cd /var/log

    --
    -------
    Warning: Slashdot may contain traces of nuts.
  12. If... by PigleT · · Score: 3

    "Worse, if you are a consulting firm basing your assessment services on these products, you better have some system in place to cover for their shortcomings, as these products don't cut it."

    Er, yeah? A security consulting firm that uses only a few of these as anything more than a starting-point for further hole-research and criticism is doing nothing that I couldn't do myself, and will not seen on my Pigsty. When I consult, I expect to give proper service, and if I get consultants in, I expect perfection.

    "Because all the products failed to identify key vulnerabilities, none of them received our Editor's Choice award."

    If a company relies on an Editor's Choice Award to distinguish good from mediocre from bad, it has altogether too many other problems...!
    ~Tim
    --
    .|` Clouds cross the black moonlight,

    --
    ~Tim
    --
    .|` Clouds cross the black moonlight,
    Rushing on down to the circle of the turn
  13. Re:One Word by tooth · · Score: 3
    I know it was a review of system level security/scanners, but here's my one word (for websites) :)

    whisker

  14. Not exactly by drsoran · · Score: 2

    Commercial scanners are not produced by "a person off the street". They're produced by professionals that work for companies that have a significant motive for ensuring the accuracy of their products: money. If Joe Blow Security company said your home was secure but it wasn't, they're not going to get a very good reputation around the industry, will lose customers, and eventually get such a bad name they'll be run out of business. Definitely not something the investors like to see. Capitalism works for good and evil fortunately. Open source scanners are the ones that are more like asking a guy off the street. 95% of the time people are not going to be writing your own exploit modules for them so you have to take the word of that guy off the street you got the scanner and modules from to say that your network is secure. If you ARE skilled in writing modules and evaluating your network, then the best thing would be to use a combination of all of these methods. Get a couple of commercial scanners, get some open source stuff, and write some of your own. With the security of your network at stake there is no such thing as overkill.

  15. List of tools by raffe · · Score: 3

    Here is a list of good tools