A Vulnerability Scan Plan

By Timothy Dyck  |  Posted 2002-05-20 Print this article Print

Used together, scanning systems can help enterprises find trouble before it finds them.

Conventional wisdom says that looking for trouble isnt a good idea. When it comes to IT security, however, finding system troubles before anyone else does is the name of the game. In this special section, eWeek Labs examines the state of the art in security vulnerability detection from several angles.

Its cheapest—and most effective—to fix problems while they are in development, and I evaluate two tools designed to detect application security problems before they become security risks: Sanctum Inc.s AppScan 3.0 and SPI Dynamics Inc.s WebInspect 2.0.

Both of these products scan only Web applications, however. For ongoing security tests of other pieces of IT infrastructure (such as operating systems, server software and network systems), organizations will need a comprehensive vulnerability scanner. eWeek Labs East Coast Technical Director Jim Rapoza reviews one such scanner, Foundstone Inc.s FoundScan 2.5. FoundScan is targeted at very large enterprises with hundreds of thousands of servers to manage.

Crackers rely heavily on rapid IP address range scanning tools to find initial targets, so IT employees need to use the same tactic to find those holes first. Its especially important to scan regularly for the security managers nightmare scenario—freshly installed rogue servers (probably configured with insecure default settings), which might as well have a "take me now" sign hung on them. (Click here for a chart on the security assessment life cycle)

Managed security companies can be a real help in detecting these problems—the classic external penetration test was for years, after all, the primary way corporations did vulnerability assessment. Managed security companies let businesses take advantage of skills developed in detecting and handling real intrusions—without having to go through this often painful learning process themselves. Senior Writer Anne Chen reports on how e-Travel Inc. turned to provider TruSecure Corp. for help in setting up a comprehensive security policy.

Finally, vulnerability detection cant stop at finding documented problems. What about the new flaws constantly being found? Labs Director John Taschek took a look at Cenzic Inc.s Hailstorm 3.0, a tool that records real data traffic, modifies it in ways likely to cause problems for unsecured applications or hardware, and then plays the modified traffic back against devices to detect flaws—perhaps including a flaw that might become the basis for next years Code Red.

Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel