2

We are planning for a vulnerability management solution, so I am looking out for evaluation criteria between the well known solutions like Nessus, Qualys and Nexpose. If anyone could share such evaluation points it would be really helpful.

Anders
  • 64,406
  • 24
  • 178
  • 215
AirSnow
  • 51
  • 4
  • 1
    As this question is asking for software evaluation *criteria*, not a software recommendation, I am voting not to close it as off-topic. – Neil Smithline Jun 07 '16 at 17:41
  • I tried to edit out the part of the question focusing more on product recommendation (or comparison) and leave the part about evalution criteria in an attempt to make it more on topic. airhack, feel free to rollback if you want to. – Anders Jun 07 '16 at 20:21

4 Answers4

2
  • Bandwidth requirements
  • System requirements
  • Training offerings
  • Reporting
  • Accuracy (number of false positives)
  • Time to scan
  • Extra offerings
    • Example: Nessus has web app tool; Nexpose doesn't
  • Vulnerabilities detected (make a vulnerable device have all three scan it)
zerocool
  • 21
  • 4
  • Number of false positives is very important criteria. Each positive must be investigated to determine if it is false positive, if most of them are false positive it creates a lot of work and also makes you treat any positive less seriously. – Kirill Sinitski Oct 06 '16 at 12:57
0

The free book from O'Reilly on DevOpsSec: Securing Software through Continuous Delivery notes that a vulnerability management solution should create directives for configuration-management tools (including Ansible, Chef, Puppet, Salt, Powershell DSC, and Docker).

This may preclude the three vendors you suggested, so I suggest looking at other solutions.

atdre
  • 18,885
  • 6
  • 58
  • 107
0

It sounds like you're looking for an ASV solution and each of these will scan and identify vulnerabilities using the same vulnerability databases and ranking methodologies. The main differentiators are generally cost, ease of use and reporting functionality.

AndyMac
  • 3,149
  • 12
  • 21
0

One other answer offered "Reporting" as a criteria but I want to specify and clarify the reporting should probably also include historical logging of scans for audit purposes.

d1str0
  • 2,348
  • 14
  • 24