Vulnerability assessment: Leave the scanning to someone else?

Vulnerability assessment is a crucial component of application security. However, Robert Scheier advises readers that vulnerability scans have their limitations.

Scanning for security vulnerabilities is like checking the doors before you go to sleep for the night -- a "must-do" that only eliminates the most obvious security threats.

All too often, says Gartner Inc. Analyst John Pescatore, companies that buy a vulnerability-scanning product find that it "turns into shelfware within a year. They buy the product, run it a few times, then other duties intrude, or the person running the vulnerability assessment has to do other things or quits." What's more, says Pescatore, vulnerability assessment tools only find known threats such as worms and unpatched systems rather than the attacks from insiders that cause the most damage.

Still, vulnerability assessment is important if only to help you quickly guard against the known threats so you can focus on the more important dangers. It also helps prove you've done "due diligence" in performing basic system patches and fixing the well-known problems in case a security breach causes financial, legal or regulatory problems.

Application vulnerabilities
Reasons for application vulnerabilities 

App vulnerability detection improved by partnership 

Vulnerability assessment pays off for Debt Exchange 

Because vulnerability scans are so tiresome and because they require an up-to-date knowledge of the latest threats, they're often best performed by buying an assessment service rather than an assessment tool, says Pescatore. If you can't dedicate 20% of one person's time (one day a week) to doing vulnerability scans, he says, you're better off going with an assessment service.

Among the service vendors, Qualys Inc. of Redwood Shores, Calif. "[has] been out there the longest with a dedicated service and tends to do a very good job updating their tests each week," says Pescatore. Its QualysGuard on-demand security audit service identifies all of an organization's network devices that can be detected from the Internet, checks if they suffer from any of thousands of known vulnerabilities and delivers detailed reports about the vulnerabilities along with recommended countermeasures and patches. Pricing is per host IP address scanned and starts at $995 for a single address.

Other vendors providing vulnerability assessment as a service include Guardent Inc., TruSecure Corp. and Meta Security Group. While pricing varies by vendors, many service providers need to charge upwards of $10,000 a month to customers with several hundred users in order to pay for the expensive infrastructure and skills it takes to do vulnerability assessments, says Fergal Mullen, a principal at Highland Capital Partners, a venture capital firm in Lexington, Mass.

Mullen recommends looking for services that go beyond vulnerability assessment to prioritize the threats based on the unique situation of every organization. But doing this requires a lot of hard work on the part of the customer, he warns. "Service providers will try to present their solution as being fairly autonomous and having a lot of self-discovery types of capabilities," he says. However, it's very difficult for any tool to correctly identify the threats that are most important until business managers get involved and identify the systems that are most crucial to their business, he says.

"This is one area that Critical Watch is pitching very strongly" with its Enterprise Vulnerability Management service, says Mullen. "They're looking to identify all the tactical vulnerabilities in your infrastructure," he says, as well as mapping those vulnerabilities against an understanding of which systems are most critical to the business.

Some assessment vendors focus on particular compliance or remediation areas. Xacta Corp., for example, offers Commerce Trust Version 4.0, which helps organizations monitor their compliance with legal and regulatory as well as security standards. Foundstone Inc. claims its patent-pending workflow process "provides security managers with unequaled, step-by-step control over the vulnerability 'fix' process."

Given the need to provide vulnerability assessment as a service, many vendors provide a combination of scanning appliances, scanning software and/or a Web-delivered assessment service. The combined offerings usually include a scanning engine, the ability to compare the configuration of the customer's network components with a current database of known vulnerabilities, reports listing the vulnerabilities along with suggested remediation action and, in some cases, the ability to actually fix the vulnerabilities with an audit trail proving when they were fixed.

If you can devote enough staff time to justify buying an assessment tool, both Pescatore and Mullen recommended first considering free software such as the Nessus Security Scanner, which Mullen says, can sometimes outperform commercial tools.

Among the vendors offering assessment tools either standalone or along with a service are Internet Security Systems Inc., RiskWatch Inc., Bindview Corp. and Network Associates Technology Inc. Sourcefire Inc. recently updated its Intrusion Management System software (which is based on the open-source Snort intrusion-detection system) with the Real-time Network Awareness (RNA) appliances, which the company says can alert administrators in real-time to anomalous network behavior. Longtime security vendor Harris Corp. recently won certification under the international Common Criteria standard for its STAT Scanner network security assessment software.

Looking to the future, Pescatore has high hopes for the proposed Application Vulnerability Description Language (AVDL) that would allow different types of security tools from different vendors to communicate with each other. By 2005, he's hopeful the standard will allow, for example, a vulnerability assessment tool to tell a firewall about the vulnerabilities it's found in a network, and the firewall would automatically change its configuration to protect against those vulnerabilities.

The standards effort is being managed by the Organization for the Advancement of Structured Information Standards (OASIS) and will, he predicts, work with the existing CVE (Common Vulnerabilities and Exposures) list of common names for security threats that allows intrusion-detection products to more easily share information.

Until then, Mullen advises customers to beware of the hype in a crowded market and to be careful about buying products that address only part of the vulnerability assessment and remediation problem so that "you end up managing the tools rather than managing the problem," says Mullen.

His advice: "Find someone who can combine some of the point products into an overall service," combining vulnerability management with virus protection, firewall and intrusion-detection capabilities. For that, he says, customers could build on suites from their existing security vendors, or look at newcomers such as Application Security Inc., which could wind up competing directly with Internet Security Systems, says Mullen.

About the author
Robert L. Scheier writes regularly about security from Boylston, Mass.

This tip originally appeared on SearchSecurity.com
This was first published in December 2005

Dig deeper on Software Security Test Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

1 comment

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close