Looking at options for vulnerability scanners — which ones would be a good fit for a midsize software startup?

Threat & Vulnerability Management Vendor/Product Recommendation Security Strategy & Roadmap

2k views24 Comments

IT Strategist in Government, 1,001 - 5,000 employees

We use Nessus, but we are a large organization. For a smaller organization on a limited budget, I would recommend to use an online scanner tool like Intruder.io or likes. Once you have you product developed/matured, you can invest in a better tool, which will be more suited for your target industry.

Chief Technology Officer in Software, 51 - 200 employees

We use Nuclie as its open source. https://nuclei.projectdiscovery.io/
Still in Nascent stages, but so far good for our use cases

CIO in Services (non-Government), 1,001 - 5,000 employees

We use Tenable asit is number 1 in a lot of categories.

Director of Tech and Cyber Strategy in Finance (non-banking), 1,001 - 5,000 employees

We looked at Nessus but when with Qualys (our parent allowed us favorable commercial terms).

OWASP has a number of open source tools. My advice is to look at a tool that not only provides the scanner but to also look at integration costs (particularly if you use a CMDB) and determine where the best marginal dollar spent is. In many cases the easy of operationalizing the tool can be more important than the tool. Ultimately cyber security is about redundancy and layering and IMO what best supports that strategy is more important than how well one tool might perform on its own,

https://owasp.org/www-community/Vulnerability_Scanning_Tools

Vice President & Chief Information Security Officer (CISO) in Software, 10,001+ employees

Nessus, Qualys, wazuh, OpenVAS are good options

VP of IT in Retail, 10,001+ employees

I would recommend using Nessus as it’s one of the best product out there. It’s an ideal solution from product and price perspective for a mid-size startup.

Founder & CISO in Education, 11 - 50 employees

Our experience has been good with the following tools.

For network - Nessus
For SAST - SonarQube or Verracode
For OSS - Dependecy Track or Snyk
For DAST - Acunetix or Burpsuite.

Director of Information Security Operations in Consumer Goods, 1,001 - 5,000 employees

Nmap, nesus, qualys

CISO in Software, 10,001+ employees

Both Qualys and Tenable are standard choices for many businesses, but the most commonly used in startups is Burp.

CISO in Finance (non-banking), 10,001+ employees

For Mid Size organization's Nessus professional not nessus security center is good for OS scanning and Configuration Audit. Burp suite even licensed version of it is good option for web scanning. Burp suite freeware is there but has lot of limitations. NMAP is also good option for network scanning. Organization can also reply on open source vapt tools for scanning and manual security testing of apps. Microsoft baseline security analyzer which is free can also be used for windows OS scan.