Review of 12 Vulnerability Scanners

produke points us to a review of security vulnerability scanners. It's light on detail and not terribly well organized, but might provide a starting point for more research. From the article: "A few months back I did some intense testing of all the best vulnerability scanners out there... I had a couple nix boxes hooked up, as well as some dozers, and figured I could add clients to a 'once-a-week' scanning contract. So naturally, I wanted to use the scanner that was the best for my purpose... Better to use firewalk, hping3 (now with scripting!), nmap, etc., and leave these crutch-like tools alone."

Only 11

[nacturation]

Am I missing something? If you RTFA it's only 11 scanners, conveniently listed as 1 through 11:

      1. ISS Internet Security Systems
      2. SSS Shadow Security Scanner
      3. Retina eEye
      4. Nessus
      5. GFI Languard Network Security Scanner
      6. Qualys www.qualys.com
      7. Nstealth Security Scanner www.nstalker.com
      8. Nikto
      9. Whisker
    10. Infiltrator infiltration-systems.com
    11. Nscan
 

Re:Only 11

[Timesprout]

12 is actually a cloaked scanner for CIA/NSA uber secret scanning. Its there you just cant see it. Trust me.

Also in the interests of national security forget you read this post.

Re:

[MagusSlurpy]

Don't worry, my fifty-caliber memory erasure ray will clear it out of there.

Re:

[null-sRc]

I guess the poster codes in C and saw the last entry as 11

Core Security

[Heembo]

Guys, you missed Core Security; it's one of the most solid vulnerability assessment tools I've used in 2006. http://www.coresecurity.com/ [coresecurity.com] Its BY FAR one of the best-of-breed tools out there.

Re:

[Anonymous Coward]

Core's not a vulnerability scanner.

Don't get me wrong, it's a great product, but Core Impact [coresecurity.com] and Immunity's Canvas [immunityinc.com] are in a class of their own (well, along with Metasploit [metasploit.com] of course). Different focus for the product, so an entirely different set of requirements you'd compare them against. They're built specifically for penetration testing. They don't just look for vulnerabilities, they actually try to exploit those vulnerabilities and use them to exploit other vulnerabilities.

So if, for example, you

Re:

[Heembo]

That was a very insightful comment; thanks for chiming in! Canvas is decent, but you need to program in the exploits. In a Canvas vs. Core test, I'm preferential to core - but some of my old-school risk assessment friends swear by Canvas.

Do you have any Canvas vs. Core thoughts, oh wise Anonymous one?

Re:

[ResidntGeek]

That was a very insightful comment; thanks for chiming in!
...
oh wise Anonymous one?

Wow. Your sig is perfectly correct.

Re:

[Heembo]

Your mother sleeps with goats. Have a nice day!

Re:

[dkleinsc]

12. Fnord

That's your answer on what happened to it.

Re:

[Anonymous Coward]

The twelfth scanner is you, the audience; without you we're nothing.

Re:

[markmier]

This one goes to 12.

The sweet smell of FUD, nice one smitty

[Gothmolly]

"once a week scanning contract" - do they make core architectural changes that often? Damn, if you signed someone up for that level of cash, I take my hat off to you, man. If all you're doing is running nmap from your cable modem, your cost is nothing more than rent to your parents for use of the basement, and your charge to your mark^Wcustomer is pure profit.

Re:

[GigsVT]

People pay for stupider things. Like "service monitoring"... GET /index.html... 200, yep you are ok. Please pay my invoice!

Re:

[ScentCone]

People pay for stupider things. Like "service monitoring"... GET /index.html... 200, yep you are ok. Please pay my invoice!

Yeah. But the way I do it is to get a document that, in order for it to render, has to make database connections, deal with a web service, and report back the time it took perform those tasks... and log the results in a table that is used to drive a performance history, going back months. And, of course, e-mail and text messaging to the folks who need to be pleasantly informed if som

Re:

[kpharmer]

> "once a week scanning contract" - do they make core architectural changes that often?

Think of it this way - do they tell you when they make changes to their systems? Answer: of course not.

So, either you scan monthly or quarterly - and leave vulnerabilities undetected, unreported and wide open to exploit for weeks or months. Or you scan much more frequently, and catch it when it happens.

Just need a nice way to identify deltas so that they don't constantly have to wade through false positives.

"It's light on detail ..."

[Bob Cat - NYMPHS]

Therefore, it's perfect for SlashDot!

Re:

[mordors9]

And short on ethics. We are advised one way to get a copy for testing is via warez. But we are also told not to use them for cracking so I guess it is okay.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Wow

[Tihstae]

I think a third grader could write a better review then that steaming pile of shit.

I think a third grader knows the proper usage of the words then and than.

Re:

[Master of Transhuman]

Why?

In my experience, there's never a reason not to insult monkey-children - there are no easier targets - except their parents (and George Bush).

Re:

[AlamedaStone]

monkey-children ... (and George Bush)

Why the parent post isn't rated redundant I'm sure I don't know.

Re:

[Anonymous Coward]

I normally don't take the time to write useless "I concur!"-type comments--especially under AC--but it must be said. I have never seen an "article" this poorly written linked on slashdot. This is not a review, it is the drug-distorted rambling of a nine-year-old.

Re:

[maddskillz]

I concur!

Re:

[heson]

Get real! Fourteen years old, maybe even fifteen.

Re:

[joe_cot]

I have never seen an "article" this poorly written linked on slashdot.

I have. [slashdot.org] You must not read slashdot very often.

Re:

[JPriest]

You didn't read the disclaimer in the article summary? I think the Internet would be quite a bit safer if more companies took an automated vuln scanner to their gear once in a while.

Re:

[roger6106]

You must be new here.

Re:

[ScrewMaster]

Okay people, I think implementation of the Slashdot Semantic Analysis Filter is long, long overdue.

Am I wrong?

[flyneye]

Am I wrong to think that vulnerability could be tested from the Backtrack Live cd?
http://www.remote-exploit.org/index.php/BackTrack [remote-exploit.org]
If I'm wrong I apologize,If not,well,it's a free download fulla' tools.
maybe I'm missing something here,maybe not.

Is this the bottom?

[ICA]

Have the stories here finally sunk as low as they can possibly go? Can it only go up from here? Let's hope so.

'nix and 'dozers was bad enough, but then a splog with nothing of substance was just too much.

Re:

[Master of Transhuman]

splog = spam blog

Google is your friend.

Also Wikipedia http://en.wikipedia.org/wiki/Spam_blogs [wikipedia.org]

Re:

[ChazeFroy]

Why do people use "nix" or "*nix" when talking about Linux? "*nix" doesn't even glob to "Linux".

Re:

[produke]

Why do people use "nix" or "*nix" when talking about Linux? "*nix" doesn't even glob to "Linux".

nix is commonly used to referred to both Unix and Linux

Re:

[Darth Android]

I could crap on my keyboard and then submit that.

Yes but

[Watson Ladd]

can they perform cunnilingus on a hardwood floor?

Iv'e played with a few of these.

[Victor Fors]

Granted, i don't consider myself to be in a proper position to write a review of them. However, a few points:

* Most of these are completely outdated, and easily miss newer security holes. (maybe apart from CORE, which is a commercial and expensive scanner).
* They are loud and noisy, and due to using well-known shellcode and attack patterns extremely prone to setting off IDS systems.
* They are, in comparison to Nmap + version scan + personal archive of public exploits, very slow.

Simply spidering public exploits off archive sites (milw0rm, packetstorm, etc...) and using custom shellcode (even without using tricks like polymorphism) would in my opinion result in much, much higher efficiency compared to using any of these programs.

Strangely, he links to a proper review

[bcmm]

Here [networkcomputing.com] is the link, for those who don't want to give him any ad revenue.

Re:

[strider44]

That link is dated from six years ago. I don't think that it should be counted as a good review of current software.

Re:

[greginnj]

... You must LOOK UP to see the source of the GIANT WHOOSHING SOUND ...

Re:

[strider44]

Don't be idiotic. I got the joke and it was pretty irrelevant to what I said.

Hmmm

[GregNorc]

I think I'll stick with the easy way... Knoppix STD and a very authentic looking janitor's uniform.

Where do people find this crap?

[madsheep]

I am baffled that someone even came across this article let alone posted it to Slashdot. This is probably one of the most juvenile reviews I have ever read. On top of that it's quite obvious it was written by a script kiddie. Who would actually do a [limited] review of security tools and talk about how they "can be tested for free, either through an evaluation or trial, or warez"?? This is by far one of the saddest reviews I have ever seen.

I pray that no one out there even considers using this person