RE: Vulnerability scanners

From: Ken Smith (ksmith@akibia.com)
Date: Thu Mar 27 2003 - 16:08:00 EST


Don't forget that Qualys is not a managed service. You still need to setup the scans, customize the reports, setup scheduling, and make sense of the resulting reports. It's not completely outsourcing, it's an ASP model.

 

-----Original Message-----
From: Jeff Williams @ Aspect [mailto:jeff.williams@aspectsecurity.com]
Sent: Thursday, March 27, 2003 1:59 PM
To: Dan Lynch; pen-test@securityfocus.com
Subject: Re: Vulnerability scanners

Let's assume that you're talking about 256 IPs (based on Qualys' published
pricing), and you want to scan weekly. That's at least a day a week of
effort for someone (probably more to generate a very nice report and
summaries). The cost of a full-time sysadmin (including salary, benefits,
office, etc...) probably costs well north of $100K. You'd have to include
some equipment costs in there. So I doubt you could do it much cheaper.
I think vulnerability scanning is a reasonable thing to outsource for
companies that are not in the security or networking field already.

Still, the incremental cost of their service must be far less than that.
Obviously they've invested in a significant amount in their scanning
engine and report structure. And there will be some maintenance and
network costs to consider. But the cost of adding one more customer
should be fairly small. If their prices don't start approaching this
incremental cost, then there's an opportunity for someone else to enter
the market and provide the service for cheaper. Maybe you can push them
on this point.

Whatever you decide, you should also be sure to consider the cost of
interpreting the results and making the changes to fix any problems
uncovered. Simply having the scan done for you does not relieve you of
the responsibility of going through the findings carefully and keeping
systems hardened.

Please let the list know how this comes out as there are probably many
companies wrestling with this decision now.

--Jeff

Jeff Williams
Aspect Security, Inc.
http://www.aspectsecurity.com

----- Original Message -----
From: Dan Lynch
To: pen-test@securityfocus.com
Sent: Wednesday, March 26, 2003 6:46 PM
Subject: Vulnerability scanners

Greetings list,

Yesterday some reps from Qualys came with a sales presentation for
their QualysGuard appliance. I'd like to solicit your comments and
opinions on that product. In particular, do you think it's $45,000 per
year better than Nessus? (That's about the cost we'd face based on our
IP address range.) They claim it costs as much in administration to run
Nessus. Does Qualys' claim to more vulnerability signatures and
faster/easier updates hold water?

Any input you can offer is greatly appreciated.

Dan Lynch
Information Technology Analyst
County of Placer
Auburn, CA

530/889-4222

Bureaucracy: the art of making the possible impossible.

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:31 EDT