A Vulnerability Scan Plan | eWeek

A Vulnerability Scan Plan

Écrit par
Timothy Dyck
Timothy Dyck
May 20, 2002
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Conventional wisdom says that looking for trouble isnt a good idea. When it comes to IT security, however, finding system troubles before anyone else does is the name of the game. In this special section, eWeek Labs examines the state of the art in security vulnerability detection from several angles.

Its cheapest—and most effective—to fix problems while they are in development, and I evaluate two tools designed to detect application security problems before they become security risks: Sanctum Inc.s AppScan 3.0 and SPI Dynamics Inc.s WebInspect 2.0.

Both of these products scan only Web applications, however. For ongoing security tests of other pieces of IT infrastructure (such as operating systems, server software and network systems), organizations will need a comprehensive vulnerability scanner. eWeek Labs East Coast Technical Director Jim Rapoza reviews one such scanner, Foundstone Inc.s FoundScan 2.5. FoundScan is targeted at very large enterprises with hundreds of thousands of servers to manage.

Crackers rely heavily on rapid IP address range scanning tools to find initial targets, so IT employees need to use the same tactic to find those holes first. Its especially important to scan regularly for the security managers nightmare scenario—freshly installed rogue servers (probably configured with insecure default settings), which might as well have a “take me now” sign hung on them. (Click here for a chart on the security assessment life cycle)

Managed security companies can be a real help in detecting these problems—the classic external penetration test was for years, after all, the primary way corporations did vulnerability assessment. Managed security companies let businesses take advantage of skills developed in detecting and handling real intrusions—without having to go through this often painful learning process themselves. Senior Writer Anne Chen reports on how e-Travel Inc. turned to provider TruSecure Corp. for help in setting up a comprehensive security policy.

Finally, vulnerability detection cant stop at finding documented problems. What about the new flaws constantly being found? Labs Director John Taschek took a look at Cenzic Inc.s Hailstorm 3.0, a tool that records real data traffic, modifies it in ways likely to cause problems for unsecured applications or hardware, and then plays the modified traffic back against devices to detect flaws—perhaps including a flaw that might become the basis for next years Code Red.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.