NeXpose FAQ - General Answers

What is NeXpose?

NeXpose, Rapid7’s enterprise vulnerability assessment and risk management solution, was launched in 2001 to help IT and security professionals gain overall control of their network and protect software and applications from internal and external intruders. NeXpose minimizes the time spent locating and eliminating an organization's security vulnerabilities, thereby increasing network reliability, enhancing organizational efficiencies, and improving resource management across operating systems, servers, databases, and applications.

Back

What is Vulnerability Management?

Vulnerability management is a collaborative workflow process consisting of seven integrated steps: Discover, Audit, Delegate, Remediate, Confirm, Report, and Adapt. This process is continuous and creates a closed feedback loop for ongoing network threat management. For more detailed information on implementing a vulnerability management program for your organization using Rapid7’s NeXpose download our whitepaper entitled, “Enterprise Vulnerability Management”.

Back

What is Vulnerability Assessment?

Vulnerability Assessment (VA) is an integral part of Vulnerability Management. VA is the process of identifying network and device vulnerabilities before hackers or malicious users can exploit these vulnerabilities to gain unauthorized access to your network.

Back

How long has Rapid7 and NeXpose been serving the vulnerability management market?

Rapid7 provides network security software and related research. Spun-off from a group of established software companies, Rapid7 was founded in 1998 by its current principals, who possess extensive technological expertise, sales acumen, and business operations experience. Rapid7 is privately funded and has achieved steady growth by meeting the needs of global enterprises to assess and prevent network vulnerabilities that expose the organization to data security threats and potential legal and financial liabilities.

Back

Is NeXpose a software solution or an appliance?

Rapid7 is the only company that offers you a choice of deployment options for vulnerability management. NeXpose comes as a software package, an appliance or as a managed service. Visit NeXpose Deployment Options to get more information on how you may want to structure your vulnerability assessment environment.

Back

My company already uses firewalls and IDS (intrusion detection systems). Why do I need vulnerability management?

NeXpose may be used in addition to firewalls, IDS and other network security systems. NeXpose is a proactive vulnerability management solution which will complement the existing security infrastructure.

Back

Is NeXpose host-based or agent-based?

All scans are network-based. NeXpose does not install any agent software on target devices.

Back

What process is used to keep vulnerability signatures up-to-date?

Rapid7 provides a 24-hour SLA for critical vulnerability definitions. Our vulnerability database, the key to the NeXpose system, is proprietary, and contained within NeXpose. NeXpose has an extensive built-in database of over 38,000 vulnerability checks. This database cross-links the thousands of external databases that provide patches, downloads, references and additional information about the security weaknesses in systems including CERT, SANS, CVE, Microsoft Knowledge Base and Bugtraq.

Back

How often are signatures updated?

The database is updated on a regular basis through a subscription service, which maintains the existing vulnerability definitions and links, and adds new vulnerability definitions and links on a continuous basis. NeXpose auto-updates every 6 hours, downloading new vulnerability definitions as XML definition templates.

Back

Is your product CVE compatible?

Yes, NeXpose completed MITRE's formal CVE compatibility process and is certified as "CVE-compatible". You can find the completed questionnaire at the official MITRE CVE Web site.

Back

In what way will your product assist with compliance to ISO 17799, HIPAA, SOX, and GLBA? Explain.

NeXpose will assist with compliance for ISO 17799, HIPAA, SOX and GLBA. Tests for compliance are very customer specific and NeXpose provides the option to create custom scan templates. Examples of custom scanning include policy checking, file searching, scanning with user credentials as well as building new custom vulnerability definitions. NeXpose includes pre-defined scan templates for HIPAA and Sarbanes-Oxley compliance.

Back

Can NeXpose be used to ensure compliance with the PCI Standard?

Rapid7 has successfully completed the MasterCard Site Data Protection (SDP) Vendor Compliance Testing Program, which certifies us to help merchants achieve compliance with the Payment Card Industry (PCI) Data Security Standard.

NeXpose PCI Compliance provides scan templates and reporting capabilities that meet or exceed the MasterCard SDP specifications for system security scanning. The PCI Standard compliance report provides pass/fail information at both executive and administrator detail levels. A complete remediation plan is provided that enables security analysts to bring their system devices into full compliance with the PCI Standard.

Back

Describe how your system can be deployed or used to allow consultants to run scans of customer’s internal networks.

Internal scans can be accomplished in two distinct ways. First, consultants can install NeXpose on a laptop and physically connect to the customer’s internal network to conduct a scan. The second way would be to install a fixed scanning engine or appliance on the customer’s internal network and manage scans from a separate management console either running at the customer or consultant site.

Back

Describe how your solution can be integrated with another system to allow the other system to automatically cause a scan to run.

NeXpose provides the capability to drive scans and query the internal database through an external XML based API.

Back