All vulnerability assessment tools initially create large numbers of false positives. Making the situation worse, its nearly impossible to correctly detect patch levels and operating system and application versions when no standard exists for the uniform reporting of this information.
So its no surprise that, according to every vulnerability assessment tool weve ever seen in eWEEK Labs, the sky is falling.
When IT managers go shopping for a vulnerability assessment tool, it is therefore imperative that they evaluate the process whereby false positives can be systematically eliminated from vulnerability reports. In other words, they must ask: “Is there a good way to turn down the volume of false positives without missing the really bad stuff?”
Latis Networks Inc.s StillSecure VAM 5.3 does a good job of handling the vulnerability assessment workflow and also monitors the repair process. When a vulnerability scan is completed, the results are processed. The first step in the workflow confirms that the reported problem actually exists. IT staff who confirm vulnerabilities will need to be expert at understanding what the StillSecure VAM rule was looking for and what conditions will trigger a positive response.
StillSecure VAM 5.3, like many other vulnerability detection tools, starts with nondamaging probes of scan targets. It determines operating system and application versions based on standard responses, such as a routine banner announcing the operating system. It is almost impossible to determine if a patch has been applied to the scan target because while patches ably correct internal code, almost none modify the version response banner of an operating system or application.
By including the role of confirmer in StillSecure VAM 5.3, Latis sets a workflow milestone and distinguishes StillSecure VAM 5.3 from competitors. Once a vulnerability is found not to exist—because a patch has been applied, for example—the rule result will be ignored in subsequent scans. Over time, this significantly reduces the false positives reported by StillSecure VAM 5.3.