[Discuss] External network scanning service

[dsr at randomstring.org (Dan Ritter)]

On Fri, Mar 27, 2015 at 04:28:35PM -0400, Tom Metro wrote:
> Matt Shields wrote:
> > I'm
> > looking for a SAAS that I can add my subnets and they will scan them daily
> > and check for open ports and known vulnerabilities, etc and send us a
> > report.
> 
> I asked a similar question back in June:
> 
> http://www.mail-archive.com/discuss%40blu.org/msg09068.html
> 
> Although my expectation was that a SaaS solution wouldn't do the job as
> some exploits need to be performed on the same network segment, although
> so few potential attackers would have that access, a SaaS approach is
> probably good enough.
> 
> The answer I got back was, "Isn't that what Metasploit is for?"
> 
> So why the lack of SaaS offerings? Is it due to technical reasons or
> because of fear of liability? (A search did turn up
> https://www.qualys.com/; I can't find pricing on their site.)
> 
> It sure seems like there ought to be a market for this.

Veracode offers this, calling it automated web application
perimeter testing. They want about $2K/year, for which you get
more or less unlimited usage.

Tenable offers Nessus Cloud, which is the Nessus scanner, plus
their secret sauce, as a web service. That's also around
$2K/year.

Nessus was forked before Tenable closed it, and the resulting
project is called OpenVAS. I don't know how many groups will run
it against you for some amount of money.

In general, the term you want to google for is "vulnerability
assessment".

-dsr-