Core Security Updates Penetration-Testing Software

The company revamps its automated vulnerability-scanning tool to include testing for client-side applications and support for Mac OS X.

Core Security Technologies released an update to its penetration-testing automation software on Aug. 14, promising to help companies more effectively test their networks for potential security loopholes.

Dubbed Core Impact 6.0, the product boasts a completely retrenched applications framework that the vendor claims will greatly improve the efficacy and ease of use of its tools. Core Security said it will forward the product as a free upgrade to existing customers of its software.

The rebuild is centered on a new version of the software agent that carries out the penetration testing itself. Core says the agent is capable of recreating the most sophisticated attacks on the security landscape without actually altering or damaging the systems it is being run on.

/zimages/6/28571.gifClick here to read more about Core Security Technologies testing tools.

One of the major steps forward in the release, according to Core executives, is the products addition of penetration testing for so-called client-side applications, such as Web browsers, spreadsheets and multimedia players, which have become the focal point for many emerging IT security attacks.

"There have been a number of high-profile incidents such as the MySpace compromise that have targeted client-side weaknesses to deliver their payloads, and attackers are only going to increase their focus on these types of threats because the vulnerabilities are so easy to exploit," said Max Caceres, director of product management at Core, in Boston.

/zimages/6/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

"At the same time, the vulnerabilities in endpoint security tools are becoming harder to control, so theres a definite need for more penetration testing in general," Caceres said.

Other new features in the product include database tools for managing client-side information that will allow the product to store information related to the client-side aspects of a penetration test, including any involved contacts, e-mail addresses and host information.

Another addition is a revamped user interface with a new "generic" view that can be used to search the products database and organize data about scans in user-created folders, which the company said would speed users access to test results.

Core also added support for Apple Computers Mac OS X operating system, as the platform is becoming more widely used in businesses, and also the subject of a larger number of emerging attacks.

Charles Kolodgy, an analyst with IDC, based in Framingham, Mass., said Cores approach remains unique as the market for penetration testing continues to mature, which could help Core Impact find a home with more customers. By having tools in-house with which to complete the work typically left to outside auditors, companies can ensure that the everyday changes they make to their networks dont result in serious vulnerabilities.

Another selling point that may appeal to users is the ability to test the status of other security technologies using Core Impact, according to the analyst.

"It seems like theres some interest among customers in automating some of these responsibilities," Kolodgy said. "The issue that people have is that when theyre doing pen testing as a service, the expertise isnt with you all the time, but their environment is changing all the time with new devices and applications; having your own tool to do testing constantly, rather than waiting for audits, is an idea that some companies may adopt."

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.