Wednesday, May 27, 2009

My Take on Enterprise Vulnerability Assessment

I wrote this in an email today, thought I would clean it up and re-post here. It's in response to the question "why not use an open source vulnerability scanner?" I realize it reads a bit like an ad for QualysGuard. I really like QualysGuard though. (Err, also no offense to Tenable. I like you guys just fine, you know, as people.)

The only free product in this space that’s considered “enterprise class” is Nessus. (As of Nessus 3, the license is no longer “open source”. Free as in beer.) The problem is there’s no central management. In fact, Tenable sells a commercial management system for enterprise Nessus use for that very reason. I’ve looked into Nessus/SecurityCenter in the past, and found the interface to be barely usable and the false positive rate through the roof… basically it was nearly impossible to get actionable information out of it.

My opinion is that we want to go with a solution that allows us not only to check the compliance checkbox, but to actually improve our overall security posture. Any vulnerability management program really comes down to the processes in place to prioritize and remediate identified issues, but for that to work, the process needs to be fed good, actionable information. Qualys is the best solution to provide that.

From an operator’s standpoint, Qualys is the easiest solution to manage. This is important once you are scanning more than a small network, because unless you’re able to organize, it’s really difficult to accurately classify assets and report on vulnerabilities. Again, it’s a matter of getting the right information, and then getting it to the right people.

I’m a big fan of open source/free software when appropriate, but I’ve found that for most security applications, open source lags pretty far behind. The big name open source security products generally have a commercial enterprise component for management of larger installations (Tripwire, Snort), and for good reason. Once you’re beyond a very small target network, the volume of information is such that it’s really impossible to get any useful information out if there’s no central management, reporting, etc.