Rapid7 Nexpose is a vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. It integrates with Rapid7's Metasploit for vulnerability exploitation. It is sold as standalone software, an appliance, virtual machine, or as a managed service or private cloud deployment. User interaction is through a web browser. There is a free but limited community edition as well as commercial versions which start at $2,000 per user per year.
For downloads and more information,
visit the Nexpose homepage.
ï»¿My team used this for quite some time and compared to generic infrastructure VA tools like Nessus, and Foundstone we found the value in using a specialized Web VA tool. It found more and specific issues with precise recommendations to fix those. I recommend it based on my experience. I havent explored the IBM and HP counterparts yet...I understand that they are relatively costlier.
-Scanning for vulnerabilities
-Ability to manage multiple credentials from the GUI
-Reports on large sites usually aren't even possible
-GUI is worthless
-Must be proficient with Nexpose Ruby GEM
-Some of the asset group filters are broken (confirmed by support)
-Scans are limited to sites
Nexpose (from Rapid 7) is also marketed by Symantec as CCS-VM under OEM license. It is one of the best vulnerability scanners I have found. Its power lies in the discovery scan and in the discovery of vulnerabilities of various Operating Systems. Authenticated scans are non-intrusive and perform best. It uses nmap for fingerprinting OS and for discovery of open ports and services. It has a metasploit engine that performs the scans. Bundled with MetaSploit, it can be used for validating the vulnerabilities that can be exploited, thus reducing false positives and also helping to focus on the critical vulnerabilities. The only downside is web application scanning that requires configuration that is bit complex.
1. Integration with metasploit; and
2. It's a vulnerablity management solution and not just a typical scan-and-finish VA scanner.
1. Bad reporting.
2. Issue description and recommendation are just as bad as OpenVas;
3. Poor customer support and takes a long time to respond;
4. Vulnerability database is not comprehensive enough as compared with its competitors; and
5. Not value for money.
Any scanner is going to have some false positives, but Nessus users who say that they find many more FPs with Nexpose than with Nessus are probably not configuring the tool correctly. Make sure to run a credentialed scan and to scale the reliability rating for vulnerabilities accordingly. Nessus is not a bad tool, but it is not an enterprise solution, so it does not have some of the flexibility/functionality directly available. You don't compare Nessus to Nexpose. You compare Tenable SC to Nexpose.
No, it does NOT find more nessus. This product still has a long way to go. Hense why it was bought by another company (rapid7). Stick with nessus. Nothing beats it. NeXpose missed simple flash updates and gave false positives, which will just waste your time to find out the program was wrong.
While no single tool can be a "silver-bullet" in protecting networks from an internal or external perspective; Nexpose does a very thorough job.
I use the Professional Edition at work and the Community Edition at home.
Aside from some of the "Canned-Scanning" methods, the community-edition that I use for Home-based events is equally as good as the Professional.
As with any Security Vulnerability Assessment Tool, the reports are only a start to validating and finding what is really going on in the network space you are testing.
Discovery - A
Fingerprinting - B(-)
False Positives - B
Compliance - A(+) [PCI Very Strong]
Reporting - C
Logging - B(+)
Overall a solid tool to have in the kit; but not a one-stop shop to have 100% reliance on for every situation.
Along with your rating, you can use the comment form to post a review,
tutorial, tips and tricks, or anything else others will find useful.
If you develop this software (or work for the company), please don't rate it. You may leave a clarifying comment as long as you state your affiliation and don't specify a star rating (just leave it as “No rating”).