[Discuss] External network scanning service

[Matt Shields]

Thanks Tom & Dan, I'll check them out.  At a previous company our security
officer used the self-hosted Nessus.

Matt

On Sat, Mar 28, 2015 at 7:30 AM, Dan Ritter <dsr at randomstring.org> wrote:

> On Fri, Mar 27, 2015 at 04:28:35PM -0400, Tom Metro wrote:
> > Matt Shields wrote:
> > > I'm
> > > looking for a SAAS that I can add my subnets and they will scan them
> daily
> > > and check for open ports and known vulnerabilities, etc and send us a
> > > report.
> >
> > I asked a similar question back in June:
> >
> > http://www.mail-archive.com/discuss%40blu.org/msg09068.html
> >
> > Although my expectation was that a SaaS solution wouldn't do the job as
> > some exploits need to be performed on the same network segment, although
> > so few potential attackers would have that access, a SaaS approach is
> > probably good enough.
> >
> > The answer I got back was, "Isn't that what Metasploit is for?"
> >
> > So why the lack of SaaS offerings? Is it due to technical reasons or
> > because of fear of liability? (A search did turn up
> > https://www.qualys.com/; I can't find pricing on their site.)
> >
> > It sure seems like there ought to be a market for this.
>
> Veracode offers this, calling it automated web application
> perimeter testing. They want about $2K/year, for which you get
> more or less unlimited usage.
>
> Tenable offers Nessus Cloud, which is the Nessus scanner, plus
> their secret sauce, as a web service. That's also around
> $2K/year.
>
> Nessus was forked before Tenable closed it, and the resulting
> project is called OpenVAS. I don't know how many groups will run
> it against you for some amount of money.
>
> In general, the term you want to google for is "vulnerability
> assessment".
>
> -dsr-
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>