A Vulnerability Scan Plan

Used together, scanning systems can help enterprises find trouble before it finds them.

Conventional wisdom says that looking for trouble isnt a good idea. When it comes to IT security, however, finding system troubles before anyone else does is the name of the game. In this special section, eWeek Labs examines the state of the art in security vulnerability detection from several angles.

Its cheapest—and most effective—to fix problems while they are in development, and I evaluate two tools designed to detect application security problems before they become security risks: Sanctum Inc.s AppScan 3.0 and SPI Dynamics Inc.s WebInspect 2.0.

Both of these products scan only Web applications, however. For ongoing security tests of other pieces of IT infrastructure (such as operating systems, server software and network systems), organizations will need a comprehensive vulnerability scanner. eWeek Labs East Coast Technical Director Jim Rapoza reviews one such scanner, Foundstone Inc.s FoundScan 2.5. FoundScan is targeted at very large enterprises with hundreds of thousands of servers to manage.

Crackers rely heavily on rapid IP address range scanning tools to find initial targets, so IT employees need to use the same tactic to find those holes first. Its especially important to scan regularly for the security managers nightmare scenario—freshly installed rogue servers (probably configured with insecure default settings), which might as well have a "take me now" sign hung on them. (Click here for a chart on the security assessment life cycle)

Managed security companies can be a real help in detecting these problems—the classic external penetration test was for years, after all, the primary way corporations did vulnerability assessment. Managed security companies let businesses take advantage of skills developed in detecting and handling real intrusions—without having to go through this often painful learning process themselves. Senior Writer Anne Chen reports on how e-Travel Inc. turned to provider TruSecure Corp. for help in setting up a comprehensive security policy.

Finally, vulnerability detection cant stop at finding documented problems. What about the new flaws constantly being found? Labs Director John Taschek took a look at Cenzic Inc.s Hailstorm 3.0, a tool that records real data traffic, modifies it in ways likely to cause problems for unsecured applications or hardware, and then plays the modified traffic back against devices to detect flaws—perhaps including a flaw that might become the basis for next years Code Red.