PDA

View Full Version : Best Web-Based Vulnerability Tester?



W
11-13-10, 02:19 PM
What web-based services offer the best vulnerability testing service, that
will test a public web server on an ongoing basis? I'm aware of "Beyond
Security" but they seem like a very small company. There are of course
many software based tools, but I would rather have this done from outside
our network as a service.

--
W

Regis
11-18-10, 09:03 AM
"W" <persistentone@spamarrest.com> writes:

> What web-based services offer the best vulnerability testing service, that
> will test a public web server on an ongoing basis? I'm aware of "Beyond
> Security" but they seem like a very small company. There are of course
> many software based tools, but I would rather have this done from outside
> our network as a service.

"Best" is kinda specious as the network vulnerability scan space is
fairly commoditized these days. First question though: what are you
scanning? Are you interested in scanning your network for external
facing vulnerabilities, or are you looking for a deep dive into
scanning specific web applications for all their warts on an ongoing
basis? I ask because these are two different animals from a tools
perspective (there are web app scanners and there are network vuln
scanners).

Assuming it's network vulnerability scanning you're interested in,
vendor-wise, if you want a cloud service and don't want to manage your
own scan server, Qualys is considered the leader in this space.
http://www.qualys.com/

There are of course a ton of small security vendors out there that'll
do such a thing for you periodically, some are pretty much "Yeah,
we'll do a periodic Nessus scan for ya and toss it over the wall for
you." These should be very inexpensive because Tenable Nessus is all
of $1200ish a year for them (or you) to license. Which might make you
reconsider hosting the scans yourself and just getting a slice host
out there somewhere that you slap linux on and a nessus license and
learn how to set up a scan like you want.

If you want a more known player thats not a direct vendor and would be
a decent ally to have if the poo hits the fan and you need something
else from em (such as incident response), consider TrustWave, though
they lean in a PCI direction as an organization. If you don't have
any credit card or PCI concerns at all, there are probably cheaper
solutions:
https://www.trustwave.com/vulnerabilityScanning.php