Which type of VA/SVM do you want?

March 6, 2006

Security Vulnerability Management (SVM) became one of the main security product categories at 2005, which in fact has been used to map open ports and vulnerabilities for a long time, for example, ISS scanner from ISS, NetRecon from Axent (acquired by Symantec at 2001), and Cybercops from NAI (currently McAfee) are old three ones. After a few years of evolvement, security scanners are developed into a series of SVM or vulnerability assessment products. Refer to the article at SCMagzine,  there are three types of VA tools:

There are three types of VA tools. First are scanners, which give little beyond listing vulnerabilities, their relative importance and suggested remedies. These are very useful, because they can be used easily, mostly automatically, and offer a good ongoing quality assessment. The downside is their limited functionality compared to other tools we tested. These tools, however, such as Nessus/NeWT and Saint are very good value and have a definite place in your testing arsenal.

The second type of tool is the full-featured appliance, which not only perform vulnerability scans, but correlate results to regulatory compliance, patch management and a host of other reporting functions. These can be pricey, but are the right answer for many organizations – if nothing else, they address the critical issue of compliance. We were extremely impressed with these appliances.

Finally, we have the (currently unique) tool that does just what experienced pentesters do: scan and follow up with penetration attempts. This tool, Core Impact, behaves exactly as one would expect a hacker to behave. It scans for vulnerabilities and then attempts to penetrate. Saint Corporation will soon introduce a competing product.

To help decide which of these three types of tools you need, look at expected outcomes and testing methodology. Organizations with significant risks in core areas – such as banks with online banking systems – need to pull out all the big guns to ensure that they are safe and in compliance. For these organizations, a combination of a tool that maps scan results against compliance issues and outputs a clear report, and a tool that attempts penetration makes sense.

For smaller organizations with limited tester and financial resources, a scanner might be enough.

Organizations that want to simplify patch management should look at products that offer patch management tied directly to the scan results.

All in all, vulnerability assessment and the report are not what the security administrators want. What they want is to secure their information assets. So built-in asset-based security risk model and integrated patch management are always welcome by the security administrators.


Follow

Get every new post delivered to your Inbox.