A Vulnerability Scan Plan | eWeek

A Vulnerability Scan Plan

Written By
Timothy Dyck
Timothy Dyck
May 20, 2002
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Conventional wisdom says that looking for trouble isnt a good idea. When it comes to IT security, however, finding system troubles before anyone else does is the name of the game. In this special section, eWeek Labs examines the state of the art in security vulnerability detection from several angles.

Its cheapest—and most effective—to fix problems while they are in development, and I evaluate two tools designed to detect application security problems before they become security risks: Sanctum Inc.s AppScan 3.0 and SPI Dynamics Inc.s WebInspect 2.0.

Both of these products scan only Web applications, however. For ongoing security tests of other pieces of IT infrastructure (such as operating systems, server software and network systems), organizations will need a comprehensive vulnerability scanner. eWeek Labs East Coast Technical Director Jim Rapoza reviews one such scanner, Foundstone Inc.s FoundScan 2.5. FoundScan is targeted at very large enterprises with hundreds of thousands of servers to manage.

Crackers rely heavily on rapid IP address range scanning tools to find initial targets, so IT employees need to use the same tactic to find those holes first. Its especially important to scan regularly for the security managers nightmare scenario—freshly installed rogue servers (probably configured with insecure default settings), which might as well have a “take me now” sign hung on them. (Click here for a chart on the security assessment life cycle)

Managed security companies can be a real help in detecting these problems—the classic external penetration test was for years, after all, the primary way corporations did vulnerability assessment. Managed security companies let businesses take advantage of skills developed in detecting and handling real intrusions—without having to go through this often painful learning process themselves. Senior Writer Anne Chen reports on how e-Travel Inc. turned to provider TruSecure Corp. for help in setting up a comprehensive security policy.

Finally, vulnerability detection cant stop at finding documented problems. What about the new flaws constantly being found? Labs Director John Taschek took a look at Cenzic Inc.s Hailstorm 3.0, a tool that records real data traffic, modifies it in ways likely to cause problems for unsecured applications or hardware, and then plays the modified traffic back against devices to detect flaws—perhaps including a flaw that might become the basis for next years Code Red.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.