Vulnerability Assessment Scanners Comparison

Roberto writes "Network Computing is running a comparison between various commercial and vulnerability assessment scanners - and open-source wins, thanks to Nessus, even though none of the tools could do spot all the vulnerabilities that were present in the test lab."

Re:Vulnerability Scanner Article Well Worth Readin

[mjh]

The comparison is quite detailed, considering the fact that it appears in a magazine that can be bought on the newsstand.

The most interesting part that I find about this entire article is the fact that this magazine (which I subcribe to) is a free subscription. The magazine doesn't make any money off of subscriptions. The magazine effectively makes all of its money from advertisements. The fact that they would review a opensource competitor is surprising in itself. The fact that they gave it the nod, is going to do nothing but hurt their advertising deals with the commercial products that they reviewed.

Of course, that's only one way to look at it. The other way to look at is that they just effectively said that if you want to get all your vulnerabilities detected, you need to buy at least one thing. Combine that one thing with the open source product, and you've got a complete solution.

Is the glass half empty, or half full? Hmmm...

Almost impossible to do it right

[scott1853]

It would take a well trained, intelligent human being to discover security flaws. If your need for security is more than the average home-based internet surfer running ZoneAlarm, then you should hire a 3rd-party company specializing in security to evaluate your system.

I would use scanners only to perform automated checks to make sure that known holes have not been opened after the initial check. Periodically, the 3rd-party company should be hired to come back and recheck the system for old holes as well as new ones that have been discovered since the previous system test.

Vulnerability Scanner Article Well Worth Reading

[dave_aiello]

The Network Computing Vulerability Assessment Scanner Article is very well written and is particularly helpful to server administrators who have not focused on security issues. I think the Slashdot article could be improved by citing the following passage from the review:

We set up 17 of the most common and critical vulnerabilities out there, and not one product detected them all.... The closest was the Nessus Security Scanner, which nailed 15 of the 17. But even one hole is too many. Because all the products failed to identify key vulnerabilities, none of them received our Editor's Choice award.

The comparison is quite detailed, considering the fact that it appears in a magazine that can be bought on the newsstand.

It may be a bit unfair to take the paragraph I cited out of context because the article goes on to do a good job of weighing the individual pros and cons of the highly rated scanners. Nevertheless, I think the article's key finding is that even the best of the tools they evaluated failed to catch all of the vulnerabilities that they had intentionally installed. Every opportunity should be taken to emphasize this point to the readers.
--

Dave Aiello

They missed a very important point -

[djrogers]

Using a proprietary (closed source) vulnerability scanner is sort of equivalent to asking a person off the street to give your home a security check. Do you know what internal code audits are done on the software? What sort of 'reporting' it may do during 'updates'? I don't mean to sound too paranoid, but all it takes is one programmer...

Another, more down to earth point is the ability to write your own checks for the scanner - are you stuck with paying maintenance fees to a company for updates of dubios quality, or can you go out and write them yourself?