In March 2014, a storm happened in our office. Some 50 folks were given marching orders. From being laid back and overstaffed, our office floor was suddenly "awakened" and short-staffed. Some folks had seen their "moment of truth". For me, I was told to take some new tasks. Tasks that my team members were "supposedly" doing. And also an additional role in the security team of our products, SONAS and V7000 Unified. I am always ready to take new tasks. Being an evolved Aquarian, I welcome change.
The new role in the security team of our products, I started it in my natural style, taking the bull by the horn. I strongly believe that's what works in a stormy weather. My method was to question everything. Review everything, and replace / adjust what is appropriate.
As part of this security role, my colleagues used to execute a security scan of our products on periodical basis, using Nessus. Nessus is a proprietary comprehensive vulnerability scanner. I studied this task in the same manner - question everything. I found OpenVAS, a framework of several services and tools offering a vulnerability scanning and vulnerability management solution.
I did not use Nessus at all. I told our admin folks not to continue the paid user account that was being used for executing vulnerability scans using Nessus. I started using OpenVAS.
From the OpenVAS web site, I downloaded an image that contained a ready to use Virtual Machine, along with OpenVAS. I prepared a virtual machine in my laptop. It was easy. I like the idea of providing an image that I could download and start a virtual machine that has OpenVAS installed.
In the scope of my projects, both Nessus and OpenVAS are vulnerability scanners. Both work on the principle of scanning the product for presence of known security issues. I did not do a deep study to determine which one is slightly better than the other. I did not have that luxury of time. More important was to get the job done, in time, and with minimum money spent. In my limited study of Nessus and OpenVAS, I found Nessus has a richer GUI than OpenVAS.
What was the benefit of using Nessus? The centralized IBM team was managing Nessus server. At the cost of project money. I decided to put some effort to setup OpenVAS, maintain it, and use it. I saved on the project money that was spent for Nessus user account, and hardware in the lab from where security scan was initiated.
What is the benefit of using OpenVAS?
* No need to purchase software or any licenses
* No additional hardware needed. OpenVAS is running in a virtual machine, which is running in my laptop
And the cost associated? The effort required to setup and maintain OpenVAS running in a virtual machine.
Considering benefits vs the cost associated, this was a good bargain.
What did I miss? Nessus seems to have a richer GUI than OpenVAS. I am willing to miss a better user experience, for saving some $$$ from my project budget.
In my opinion, rather than which vulnerability scanner is being used, what is important in the scope of my project is identifying the optimal frequency at which scan should be done, and doing it.
Checking the product using a vulnerability scanner during development phase is important. But this has a limited value. Vulnerability scanners check the product against known security issues. They can not find security issues that are not yet recognized. Recognizing security issues is done by skilled humans, by looking at code (for example, Bar Mitzvah attack), by applying new ideas (for example, slowloris) etc. Then these vulnerability scanners update their "signatures" to detect the new issue.
So, checking the product using a vulnerability scanner during development phase should be done. This ensures that we are not shipping our product with any of the known security issues. But this does not guarantee our product is 100% secure at the time of release. There could be security issues present in our product, resulting from unsafe code.
If you are not sure about which vulnerability scanner to use, a good idea is to use two vulnerability scanners and compare the results. In my project work, I did not have the luxury of using two vulnerability scanners and comparing the results. So I chose one and used it, with awareness of the situation and the possible outcomes.
Please note : thoughts expressed here are my own, and not necessarily of my employer.
The new role in the security team of our products, I started it in my natural style, taking the bull by the horn. I strongly believe that's what works in a stormy weather. My method was to question everything. Review everything, and replace / adjust what is appropriate.
As part of this security role, my colleagues used to execute a security scan of our products on periodical basis, using Nessus. Nessus is a proprietary comprehensive vulnerability scanner. I studied this task in the same manner - question everything. I found OpenVAS, a framework of several services and tools offering a vulnerability scanning and vulnerability management solution.
I did not use Nessus at all. I told our admin folks not to continue the paid user account that was being used for executing vulnerability scans using Nessus. I started using OpenVAS.
From the OpenVAS web site, I downloaded an image that contained a ready to use Virtual Machine, along with OpenVAS. I prepared a virtual machine in my laptop. It was easy. I like the idea of providing an image that I could download and start a virtual machine that has OpenVAS installed.
In the scope of my projects, both Nessus and OpenVAS are vulnerability scanners. Both work on the principle of scanning the product for presence of known security issues. I did not do a deep study to determine which one is slightly better than the other. I did not have that luxury of time. More important was to get the job done, in time, and with minimum money spent. In my limited study of Nessus and OpenVAS, I found Nessus has a richer GUI than OpenVAS.
What was the benefit of using Nessus? The centralized IBM team was managing Nessus server. At the cost of project money. I decided to put some effort to setup OpenVAS, maintain it, and use it. I saved on the project money that was spent for Nessus user account, and hardware in the lab from where security scan was initiated.
What is the benefit of using OpenVAS?
* No need to purchase software or any licenses
* No additional hardware needed. OpenVAS is running in a virtual machine, which is running in my laptop
And the cost associated? The effort required to setup and maintain OpenVAS running in a virtual machine.
Considering benefits vs the cost associated, this was a good bargain.
What did I miss? Nessus seems to have a richer GUI than OpenVAS. I am willing to miss a better user experience, for saving some $$$ from my project budget.
In my opinion, rather than which vulnerability scanner is being used, what is important in the scope of my project is identifying the optimal frequency at which scan should be done, and doing it.
Checking the product using a vulnerability scanner during development phase is important. But this has a limited value. Vulnerability scanners check the product against known security issues. They can not find security issues that are not yet recognized. Recognizing security issues is done by skilled humans, by looking at code (for example, Bar Mitzvah attack), by applying new ideas (for example, slowloris) etc. Then these vulnerability scanners update their "signatures" to detect the new issue.
So, checking the product using a vulnerability scanner during development phase should be done. This ensures that we are not shipping our product with any of the known security issues. But this does not guarantee our product is 100% secure at the time of release. There could be security issues present in our product, resulting from unsafe code.
If you are not sure about which vulnerability scanner to use, a good idea is to use two vulnerability scanners and compare the results. In my project work, I did not have the luxury of using two vulnerability scanners and comparing the results. So I chose one and used it, with awareness of the situation and the possible outcomes.
Please note : thoughts expressed here are my own, and not necessarily of my employer.
No comments:
Post a Comment