Forrester recently published a research paper titled "The Forrester Wave™: Vulnerability Management, Q2 2010" ( http://www.forrester.com/rb/Research/wave%26trade%3B_vulnerability_management%2C_q2_2010/q/id/56932/t/2). It costs $1,740 USD to purchase that report (ouch!). I am fortunate enough to work for a corporation that has a membership with Forrester. Take a look at the executive summary to give you an idea of which vendors they ranked.
You can see a research paper from Gartner (MarketScope for Vulnerability Assessment) at http://www.gartner.com/technology/media-products/reprints/qualys/article1/article1.html . You never mentioned what kind of budget you have to do that purchase. Nessus is a great tool (I currently use it). If all you care is to scan, fix and move on, that will be the least expensive commercial product you can find because everyone else charges by the number of IP addresses you are scanning. Nessus just charges for a yearly subscription with no limitation on how many IP you scan. If you have a more complex environment, you'll want to move from just vulnerability scanning to vulnerability management instead. Nessus alone doesn't cut it. You really need a database to store your scan results so that you can generate reports in many different ways. With Nessus, I end up with a bunch of HTML report files generated based on templates available in Nessus. We are now looking at maturing our vulnerability assessment capabilities. I figure that using one of those commercial tools like the ones from Rapid-7, Qualys or Tenable, it will cost anywhere between $30-50K to purchase for around 2000 IPs. This might also be interesting read, to educate yourself: The Essential Guide to Vulnerability Scanning - http://www.itsecurity.com/features/essential-guide-vulnerability-scanning-060508/ Good luck! On Tue, Aug 31, 2010 at 11:29 AM, Albert R. Campa <[email protected]> wrote: > This is true. When you said Core, i thought, do they have a vuln scanner? > > I installed Nessus home and Nexpose community on BT4 and did some scanning > and comparison. I havent had time to put everything together, but as someone > stated it would be good to test them out. > > __________________________________ > Albert R. Campa > > > > On Tue, Aug 31, 2010 at 12:10 PM, Paul Asadoorian <[email protected]>wrote: > >> Hi Andrew, >> >> I wasn't sure from your email if you were comparing penetration testing >> frameworks to vulnerability scanners, but they should be thought of, and >> treated as, separate products. >> >> In short: a vulnerability scanner is going to give you a comprehensive >> view of your vulnerabilities. >> >> An exploit framework is going to give you more depth and intrusiveness >> into the vulnerabilities that exist. >> >> My other suggestion is that when you compare vulnerability scanners, >> don't use the default settings to compare. Take the time to test each >> one against a test environment and tune the scanner accordingly. Also, >> your targets should be real, and you should have a pretty good idea the >> vulnerabilities that exist before you start running scans. There is a >> lot more to take into consideration, feel free to ping me with specific >> questions. >> >> Hope that helps! >> >> Cheers, >> Paul >> >> On 8/31/10 12:02 PM, Andrew Anderson wrote: >> > So I'm looking to justify the purchase of a vulnerability scanning >> > product and am looking for some objective opinions. >> > >> > I am partial to Nessus, due in part to the fact that I have used it >> > before and it's price is really attractive. >> > I am looking at Core as well - trying to figure out which on of their >> > products lines up best with Nessus proffesional feed (for comparisons). >> > >> > Can anyone point me to a decent third party comparison online? >> > Does anyone have any suggestions for a third contender for my list? >> > >> > >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> >> -- >> Paul Asadoorian >> PaulDotCom Enterprises >> Web: http://pauldotcom.com >> Phone: 401.829.9552 >> Fax: 1.877.846.2187 >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
