I’ve been focusing a lot of my time lately on our PCI initiatives.\u00a0 One sub-topic that I’ve spent a particularly large amount of time on has been Requirement 11.2 which says that you need to have internal and external network vulnerability scans performed by a scan vendor qualified by PCI.\u00a0 We already employ one such tool, but I’ve been working to evaluate several other vulnerability scanning tools to see where our current tool is at in comparison.\u00a0 I’ll post my evaluations of each of these tools in time, but for now I’ll start with my evaluation of Rapid7 NeXpose.<\/p>\n
<\/p>\n
First off, I had never heard of the company before, but they were among the cheaper options of what I evaluated and apparently are doing some good things.\u00a0 They got the SC Magazine recommendation for the month of August 2008 and they received a 5-star overall rating in said magazine.\u00a0 The problem came as soon as I started talking to their salesperson.\u00a0 From the start, the guy was coming off like a used car salesman asking questions like “What would it take to get you to buy by the end of this month?”\u00a0 This was before I even saw an evaluation of the product.\u00a0 From that point forward, I don’t think a week went by where I didn’t hear from the salesperson.\u00a0 “How’s the evaluation going?\u00a0 Do you think you’re going to buy?”\u00a0 It got annoying very quickly.<\/p>\n
The evaluation of the product went fairly smoothly.\u00a0 My biggest gripe was that the company claimed that they did everything that Qualys does and more (they even forwarded me a press release on it), but ultimately failed to deliver on that promise when I found something rather large that Qualys finds and NeXpose does not.\u00a0 To their benefit, Rapid7 had engineers and developers calling me and asking about the issue trying to get it into their system for me.\u00a0 That was pretty cool, but ultimately they’re getting paid to find these vulnerabilities for us.\u00a0 You would think that they’d at least have all of the CVE items in their scanning tool.<\/p>\n
My missing Qualys vulnerability aside, the NeXpose tool found plenty of issues.\u00a0 This was both a positive and a negative since a lot of what it found had to do with a single vulnerability being exposed over and over through our site’s faceted navigation.\u00a0 It would have been nice if the scanner recognized that since it made the results look a lot worse than it actually is.\u00a0 Also, when going through the results, I noticed quite a few false positives.\u00a0 It seemed like most of these were due to the scanner just looking at a version number in a header instead of actually trying to test the vulnerability.\u00a0 It found issues with Apache modules that we didn’t even have enabled.<\/p>\n
My favorite thing about the Rapid7 NeXpose vulnerability scanning tool was the reporting.\u00a0 They provide some very good reports in there by default.\u00a0 I found the “Remediation Plan Report” to be particularly interesting as it provided you with their suggested path to remediate our vulnerabilities most effeciently and effectively.\u00a0 Was it better than the reporting that I’ve seen in other products?\u00a0 Maybe, maybe not.<\/p>\n
Anyway, my evaluation of Rapid7 NeXpose was coming to a close when I got a call from the salesperson last week.\u00a0 It went something like this…<\/p>\n
Salesperson:<\/strong> “Did you hear we got a recommendation from SC Magazine?\u00a0 Yeah, things are busy here.\u00a0 Your evaluation is taking longer than normal and I know you’ve had several issues with the product, do you think you’re going to buy it?”<\/p>\n
Me:<\/strong> “Nope, hadn’t heard about the SC Magazine thing.\u00a0 We’ve definitely worked through some issues.\u00a0 Overall, the evaluation went well and I like the product.\u00a0 Once I finish the other evaluations I’m working on, I’ll let you know our decision.”<\/p>\n
Salesperson:<\/strong> “Well, with the amount of business we’re getting with the SC Magazine article, I don’t have time for you.\u00a0 Feel free to call me back if you decide to buy our product, otherwise, good luck.”<\/p><\/blockquote>\n
What do you say to that?\u00a0 I got dumped by a salesperson, who I kept dropping hints to leave me alone to do my evaluation, because I was taking up too much of his time?\u00a0 It’s a little difficult to do an unbiased review after that, but I tried my best.<\/p>\n","protected":false},"excerpt":{"rendered":"
I’ve been focusing a lot of my time lately on our PCI initiatives.\u00a0 One sub-topic that I’ve spent a particularly large amount of time on has been Requirement 11.2 which says that you need to have internal and external network vulnerability scans performed by a scan vendor qualified by PCI.\u00a0 We already employ one such […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[438,96,4],"tags":[76,110,618,109,425,111,622,426,10,102],"class_list":["post-41","post","type-post","status-publish","format-standard","hentry","category-dynamic-analysis","category-software-and-tools","category-web-app-sec","tag-application","tag-nexpose","tag-pci","tag-rapid7","tag-sales","tag-scanner","tag-security","tag-tactics","tag-vulnerability","tag-web"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-F","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/41","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=41"}],"version-history":[{"count":6,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/41\/revisions"}],"predecessor-version":[{"id":361,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/41\/revisions\/361"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=41"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=41"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=41"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}