Vulnerability Scanners

Rod asks,

What are you all using for Security vulnerability remediation and tracking? Posts in the security community over the last few weeks have highlighted that eEye’s Retina product may not be as automated as larger company’s need.
What’s your experience?

I haven’t used eEye’s vulnerability scanner, so I cant really comment on that.
I use Qualys as my vulnerability scanner. An appliance is used to scan internal systems. External systems are scanned from the Qualys servers. I like the customizable reports, and the remediation ticketing systems. As I’ve mentioned, I’ve had some issues with false positives and they aren’t always the fasted at getting those worked out.
We have an auditor on site verifying our Site Security Plan, they are using Harris STAT. I had a week to scan machines using their account. STAT also had its share of false positives. I did not work with STAT support to resolve those so I dont know how their support it. The reporting was not as flexible as Qualys. Its not a bad software package, but I dont see why the government is so in love with it.
One of the key things I like about Qualys is the ability to schedule and forget. It will always have the current signatures. Ease of use is very important. Automatic updates, scheduled scans, and flexible reporting are key. Vulnerability scanners are designed to let you know about vulnerabilities for which a patch is available. If no one is responding to the reports, its just a waste of money.