Vulnerability Assessment Tool Filters False Positives

By Cameron Sturdevant  |  Posted 2005-12-12 Print this article Print

Review: Latis Networks' StillSecure VAM 5.3 does a good job of handling the vulnerability assessment workflow and also monitors the repair process.

All vulnerability assessment tools initially create large numbers of false positives. Making the situation worse, its nearly impossible to correctly detect patch levels and operating system and application versions when no standard exists for the uniform reporting of this information.

So its no surprise that, according to every vulnerability assessment tool weve ever seen in eWEEK Labs, the sky is falling.

When IT managers go shopping for a vulnerability assessment tool, it is therefore imperative that they evaluate the process whereby false positives can be systematically eliminated from vulnerability reports. In other words, they must ask: "Is there a good way to turn down the volume of false positives without missing the really bad stuff?"

Click here to read to read a review of Latis Networks StillSecure VAM 5.3. Latis Networks Inc.s StillSecure VAM 5.3 does a good job of handling the vulnerability assessment workflow and also monitors the repair process. When a vulnerability scan is completed, the results are processed. The first step in the workflow confirms that the reported problem actually exists. IT staff who confirm vulnerabilities will need to be expert at understanding what the StillSecure VAM rule was looking for and what conditions will trigger a positive response.

StillSecure VAM 5.3, like many other vulnerability detection tools, starts with nondamaging probes of scan targets. It determines operating system and application versions based on standard responses, such as a routine banner announcing the operating system. It is almost impossible to determine if a patch has been applied to the scan target because while patches ably correct internal code, almost none modify the version response banner of an operating system or application.

By including the role of confirmer in StillSecure VAM 5.3, Latis sets a workflow milestone and distinguishes StillSecure VAM 5.3 from competitors. Once a vulnerability is found not to exist—because a patch has been applied, for example—the rule result will be ignored in subsequent scans. Over time, this significantly reduces the false positives reported by StillSecure VAM 5.3.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Cameron Sturdevant Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel