Wondering what tools folks use for routine internal scanning for vulnerabilities and what's most recommended. There seems to be a plethora of solutions available just now so which is the best/most effective/cheapest?
I have Trend Micro Deep Security Manager which is pretty good at what it does but I'm looking to supplement it with something like Nessus. It's part of a drive to incrase our internal capabilities rather than having to rely on independent scrutiny all of the time.
We do a fair bit of development and I'd like to do some internal testing on apps before they go into production (they will always be tested independently before going live but I'm trying to reduce the re-testing).
Any advice would be most welcome
I went to the Alienvault but it seems there is only a free trial. Please let me know which of the products you mentioned is totally free
OSSIM is the free (limited) version
Use this link: https://dlcdn.alienvault.com/AlienVault_OSSIM_64bits.iso
Nessus and Nmap are great as many people have mentioned. Nexpose from Rapid 7 is also good. If you're looking at MetaSploit and at going beyond just scanning and checking on whether vulnerabilities can be exploited, then you might also want to look at the (free) Penetration Testers Framework (PTF) from the wonderful folks at TrustedSec.
On the software development side have the development teams routinely run
Cross-check with SonarQube's security warnings.