Once a site is scanned you'll see a list of assets and vulnerabilities. You can see asset details including OS and software information and details on vulnerabilities and how to fix them. You can optionally set policies to define and track your desired compliance standards. You can also generate and export reports on a variety of aspects.
Nexpose Community Edition is a solid full-featured vulnerability scanner that's easy to setup but the 32 IP limit may make it impractical for larger networks.
SecureCheq can perform local scans on Windows desktops and servers, identifying various insecure advanced Windows settings like defined by CIS, ISO or COBIT standards. It concentrates on common configuration errors related to OS hardening, data protection, communication security, user account activity and audit logging. The free version, however, is limited to scanning less than two dozen settings, about a quarter of what the full version supports.SecureCheq is a simple tool. After scanning the PC you'll see a list of all the checked settings and a Passed or Failed result.
Click a setting and you'll find links to references about the vulnerability, summary of the vulnerability, and how to fix it. Though you can't save the results for later viewing in the application, you can print them or view/save the OVAL XML file.
Although SecureCheq is easy-to-use and scans for advanced configuration settings, it actually misses some of the more general Windows vulnerabilities and network-based threats. However, it complements the Microsoft Baseline Security Analyzer (MBSA) well; scan for basic threats and then follow up with SecureCheq for advanced vulnerabilities.
6. Qualys FreeScan
Qualys FreeScan provides up to 10 free scans of URLs or IPs of Internet facing or local servers or machines. You initially access it via their web portal and then download their virtual machine software if running scans on your internal network.
Qualys FreeScan supports a few different scan types; vulnerability checks for hidden malware, SSL issues, and other network-related vulnerabilities. OWASP is for auditing vulnerabilities of web applications. Patch Tuesday scans for and helps install missing software patches. SCAP checks computer settings compliance against the SCAP (Security Content Automation Protocol) benchmark provided by National Institute of Standards and Technology (NIST).
Though you first see just an online tool that appears to just do scanning via the Internet, if you enter a local IP or scan, it will prompt you to download a virtual scanner via a VMware or VirtualBox image. This allows you to do scanning of your local network. Once a scan is complete you can view interactive reports by threat or by patch.
Since Qualys FreeScan only provides 10 free scans, it's not something you can use regularly. Consider using another solution for day-to-day use and periodically run Qualys FreeScan for a double-check.
Sign up for Computerworld eNewsletters.