Beyond ip security and Nessus

[zillah]

The representative of this company :

http://www.beyondip.com/pages/Support/support.htm

has stated the device of this company has no impact on any network device during its vulnerabilities scan, though if it is peak time.

Any insight ?

If we want to do comparison between it and Nessus

The device as representative mentioned it is a special dell box compatible with the specific Linux OS designed for this purpose (vulnerabilities scan).

[peter]

Usually vulnerability scans don't affect your website. They are usually one or two packets per TCP port, and if spaced out correctly, you won't even notice them.

Some hosting companies just use their own simple script that runs "nmap" against a server and outputs the results to a file. Any changes between the previous scan generates an alarm or email. It is simple and effective as a first line of defense.

Security will extend this to include attempts at known hacks, but the problem there is that you don't want them to try anything that could potentially affect your application.

You don't want to be in a situation where you have to tell your boss "Well, they did this security scan to help protect us against hackers, and, well... they crashed the website." That would be a resume generating event!

Security companies often realize this and will just stop at a basic port scan and tell you what vulnerabilities could be present and how to fix them.

Some people would say "If the price is right, use them, learn as much about what they are doing as you can, and then do it yourself the next time." I would too, but if your business depends on the web, and your customers demand strong security, it may be better to blame the outside security consultants about any breaches. Credit card companies usually demand an impartial third party security audit. Keep that in mind.

[zillah]

Credit card companies usually demand an impartial third party security audit. Keep that in mind.

Thanks peter for this input, now I have to make sure that this company (Beyondip security) is the right one.

[peter]

Search the web for things like "beyondip sucks" or "beyondip problem" or "beyondip question", or "beyondip service" or "beyondip hack" etc. and see what the world is saying about them.

[zillah]

I have searched quickly , I could not find something useful, i will try to search again later

[peter]

Look for "beyondip reputation" too.

Ask them for the names of customers and call them up to see what they have to say. Usually the company will give their best customers, so their reviews will tend to be good. I have found it makes sense to ask the customers for other customers of the company, in other words customers whom the company hasn't had a chance to forewarn. The results are usually better.

Customers usually are willing to talk, especially if you talk to the technical staff, and not management. Ask about service levels, outages, billing problems, technical competence, reputation, responsiveness, hidden fees.

If customers are listed on their website, just phone them up. You'll be surprised about the response you could get. Be honest, tell them who you are, the name of your company website and offer to send a test email back and forth to prove that you have an address that belongs to the company you claim to be from.

Also remember to never get into a contract that renews itself automatically. Always renegotiate at the end of the contract, its the only way to get a better price or other conditions and subtly threaten your vendor with the prospect of losing your business to a competitor.

Some vendors may want to have a contract that extends itself one month at a time at the current rates until a new contract is negotiated or one of the parties decides to terminate it. This is another option as you are only liable for a month of payments if you miss a deadline instead of a whole year.