Full Text

A critical component in the vulnerability-managenet process is identifying areas of potential risk. Although risks exist in many forms, few would argue that application and OS vulnerabilities represent some of the largest exposure points in computing environments. Network-based vulnerability-assessment scanners play a critical role in the identification process by enabling their operators to spot security deficiencies before the bad guys do.

We know that throwing tools at security problems won't make them disappear, but a mixture of know-how and well-designed technology can make the difference between working 40 and 80 hours a week. Better network-based VA tools equal lower risk equals more sleep.

We invited Beyond Security, Bind-View Corp., eEye Digital Security, eSecurityOnline, Foundstone, Harris Corp., Internet Security Systems, nCircle, NetIQ, Network Associates, Qualys, Rapid7, SAINT Corp., Symantec, Tenable, The Advanced Research Corp. and Vigilante.com to participate in our tests of VA scanners. ISS and Symantec declined, citing pending revisions; and eSecurityOnline, NetIQ, Network Associates and Advanced Research did not respond at all.

We placed the remaining 11 scanners in the middle of one of the most insecure networks we could create (see "How We Tested Vulnerability Scanners," page 52) and evaluated each on its ability to accurately identify critical vulnerabilities, clearly and concisely report on those vulnerabilities, and perform these tasks in an efficient and noncrippling manner. Since experience has taught us that managing these tools in large organizations can be a bear, interface design and control features also factored into our grades.

We found that, though the VA market holds promise, these products still need time to mature. For example, every system we tested suffered from one problem or another: Foundstone's FoundScan, Qualys' QualysGuard and eEye's Retina had the best management and reporting features but came up short on vulnerability detection. Vigilante.corn's SecureScan, SAINT and Tenable's Nessus all reported a much higher percentage of vulnerabilities but were weak on management and reporting. No product identified an acceptable percentage of vulnerabilities, though eEye's Retina and QualysGuard came close. And network administrators beware: We found these scanners far from non-intrusive. All caused adverse reactions on our network servers. The products from...