cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
robertc
Newcomer I

internal scanning tools

Wondering what tools folks use for routine internal scanning for vulnerabilities and what's most recommended.  There seems to be a plethora of solutions available just now so which is the best/most effective/cheapest?

 

I have Trend Micro Deep Security Manager which is pretty good at what it does but I'm looking to supplement it with something like Nessus.  It's part of a drive to incrase our internal capabilities rather than having to rely on independent scrutiny all of the time.

 

We do a fair bit of development and I'd like to do some internal testing on apps before they go into production (they will always be tested independently before going live but I'm trying to reduce the re-testing).

 

Any advice would be most welcome

15 Replies
JoshuaGabriel
Newcomer III

I went to the Alienvault but it seems there is only a free trial. Please let me know which of the products you mentioned is totally free

JoshuaGabriel
Newcomer III

Openvas has been replaced by the community edition of GSM, Greenbone Security Manager. I have tried that and it is very limited in terms of plugins.

DALX
Newcomer II


@JoshuaGabriel wrote:

I went to the Alienvault but it seems there is only a free trial. Please let me know which of the products you mentioned is totally free


OSSIM is the free (limited) version

Use this link: https://dlcdn.alienvault.com/AlienVault_OSSIM_64bits.iso

JoshuaGabriel
Newcomer III

Thank you DALX.

 

Already downloaded.Smiley Happy

jordanpw
Newcomer III

Nessus and Nmap are great as many people have mentioned. Nexpose from Rapid 7 is also good. If you're looking at MetaSploit and at going beyond just scanning and checking on whether vulnerabilities can be exploited, then you might also want to look at the (free) Penetration Testers Framework (PTF) from the wonderful folks at TrustedSec. 

eric-nieuwland
Newcomer II

On the software development side have the development teams routinely run

  • OWASP Dependency Check
  • OWASP Zed Attack Proxy (ZAP)

Cross-check with SonarQube's security warnings.