BS 7799/ISO 17799
Re: Vulnerability Management System Jul 23 2009 12:28PM
Morrison, John (John Morrison galacoral com)

For a similar requirement last year I settled on the McAfee solution. Not only did it provide strong vulnerablity management (instead of just patching) it was also able to deploy changes to mitigate a vulnerability, even when no patch existed. This was done with anti-x, HIPS and host-based firewall signature and configuration changes through a single, centralised console (ePO).

The reporting is pretty good as well. It has different reports for different groups of people - from security expert to CFO.

----- Original Message -----

From: listbounce (at) securityfocus (dot) com [email concealed] <listbounce (at) securityfocus (dot) com [email concealed]>

To: Jose Castineiras <elpacha (at) yahoo (dot) com [email concealed]>

Cc: bs7799 (at) securityfocus (dot) com [email concealed] <bs7799 (at) securityfocus (dot) com [email concealed]>

Sent: Thu Jul 23 04:31:04 2009

Subject: Re: Vulnerability Management System


Thank you all for the responses, I forgot to emphasis that am not

looking for automated vulnerability scanning solutions, What am

looking for is something that is similar to what is offered here:

Best Regards


On Wed, Jul 22, 2009 at 4:43 PM, Jose Castineiras<elpacha (at) yahoo (dot) com [email concealed]> wrote:


> I saw a demo of Qualys Guard tool, I think can be useful to your analysis


> Good luck.


> Jose R. Castiñeiras.



> --- On Wed, 7/22/09, Etiqk8 <etiqk8 (at) gmail (dot) com [email concealed]> wrote:


> From: Etiqk8 <etiqk8 (at) gmail (dot) com [email concealed]>

> Subject: Vulnerability Management System

> To: "bs7799" <bs7799 (at) securityfocus (dot) com [email concealed]>

> Date: Wednesday, July 22, 2009, 11:15 AM


> Hi All


> Am planning to deploy a vulnerability management system in my company

> and over here am not talking systems patching solution. We have a huge

> infrastructure with thousands in servers and networking equipment

> scattered in multiple locations, am looking for some sort of a

> centralized framework which will enable us to do the following


> * Have a database of vulnerabilities which are customized the

> most to our environment,the information can be coming from a

> subscription to a vulnerability alert service. Penetration Testing &

> Audit reports, Incident management system or from automated

> vulnerabilities assessment solutions.

> * Ability to define rules for Vulnerabilites rating and priority.

> * Link rated vulnerabilites to to listed systems in the corporate

> systems inventory.

> * Ability to send alerts to system owners through the framwork

> * Ability to Monitor the progress on actions taken.

> * Identifying and managing multiple and cross-enterprise

> vulnerabilities, which will enable effective response to to the

> interrelated impacts, and integrated response to multiple

> vulnerabilities.

> * Ability to produce reports, statistics for higher management


> I would really appreciate sharing your thoughts over here. If you have

> something similar deployed in your corporation, or if you know a

> commercial or open source solution which will do the same.


> Thanks folks

> Etiqk8




This e-mail has been scanned for all viruses by Star. The

service is powered by MessageLabs. For more information on a proactive

anti-virus service working around the clock, around the globe, visit:



This email has been scanned by the MessageLabs Email Security System.

For more information please visit


This email has been sent from Gala Coral Group Limited ("GCG") or a subsidiary or associated company. GCG is registered in England with company number 4639005. You can contact us at GCG's registered office address:

Glebe House, Vicarage Drive, Barking, Essex, IG11 7NS, United Kingdom (marked for the attention of the Company Secretariat). You can also contact us by the following means: telephone: +44 (0) 20 8507 5767; fax: +44 (0) 20 8507 5788; email: hq (at) galacoral (dot) com [email concealed]; website:

This e-mail message (and any attachments) is confidential and may contain privileged and/or proprietorial information protected by legal rules. It is for use by the intended addressee only. If you believe you are not the intended recipient or that the sender is not authorised to send you the email, please return it to the sender (and please copy it to hq (at) galacoral (dot) com [email concealed]) and then delete it from your computer. You should not otherwise copy or disclose its contents to anyone.

Except where this email is sent in the usual course of business, the views expressed are those of the sender and not necessarily ours. We reserve the right to monitor all emails sent to and from our businesses, to protect the businesses and to ensure compliance with internal policies.

Emails are not secure and cannot be guaranteed to be error-free, as they can be intercepted, amended, lost or destroyed, and may contain viruses; anyone who communicates with us by email is taken to accept these risks. GCG accepts no liability for any loss or damage which may be caused by software viruses.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus