» PRODUCT SECTION
GroupTest: Vulnerability assessment
Is vulnerability assessment what it should be? Peter Stephenson examines the ﬁeld and
discovers there have been some subtle – and a few not so subtle – evolutions in the space.
PICK OF THE LITTER
Core Impact is back again with a
new version and just when we
thought this product could not get
T his year, when we looked
at vulnerability assess-
ment tools, we found
something very interesting:
Vendors are starting to decide
answer – and, in my view it is –
but apparently it’s not.
These introduce a much more
difﬁcult environment because
part of the “chain” or the
ability assessment is a very good
approach but, with a couple of
exceptions, that means using
Before you say that pen test-
any more powerful, it surprises where their products ﬁt in the “blend” includes malware, such ing really isn’t necessary, let’s
us once again. SC Lab Approved marketplace. On the surface, as trojans, bots and, especially, revisit the issue of null scanning.
rating goes again to this very that sounds like a no-brainer, rootkits. These are likely to oper- A null scan is the old way we
but, as it happens, there have ate from within the enterprise, used to run scanners. These
been some subtle – and a few so the concept of reachability scanners simply look at those
For its comprehensive capabil- devices they can touch and the
not so subtle – evolutions in the becomes far more complicated.
ity and ease of use, we rate McAfee world of vulnerability assess- Now we care as much about how vulnerabilities generally are in
Vulnerability Manager our Best Buy. ment. We saw most of them. the rootkit got into the enterprise the interface to the outside, in
We love SAINT Integrated Vulner- Our initial question at the as we do about what it can do the case of some applications,
ability Scanner and Penetration start of this discussion is: “What once it is there. That means that or the communications stack on
Testing Software and have for years do we really mean by vulner- vulnerability testing must work the platform. Today, those vul-
ability assessment?” As I men- in concert with threat manage- nerabilities are getting close to
since it was open source (under
tioned in the opening column ment and must be more compre- being under control (except in
a different name, of course).
this month, there is an emerg- hensive.