In Chapter 7, we discussed the methodology behind vulnerability management. In this chapter, we discussed what an ideal vulnerability tool features, although we know and understand why such a tool doesn't exist. However, as we discussed, some vendors are getting close to delivering complete solutions in this comparatively new discipline in information security.
We briefly discussed some of the players, but gave no suggestions regarding the pros and cons of the tools because there is no one tool that fits all the requirements of an organization. Although the open source community has a wealth of great tools available, there isn't one tool that supports all of the facets of vulnerability management; rather, there are bits and pieces scattered among many authors.
To close out the chapter, we discussed some of the pros and cons of leveraging an outsourcer to manage parts of a vulnerability management program. It's conceivable, and many organizations do it, but it's imperative to put in place some serious guidelines and detailed service-level agreements beforehand to ensure that no one becomes disappointed with the delivery of the service.
Solutions Fast Track
The Perfect Tool in a Perfect World
- The perfect vulnerability management tool would include asset management, vulnerability assessment, configuration management, patch management, remediation, reporting, and monitoring capabilities.
- All of these components interoperate, pushing and pulling data as each task is performed.
Evaluating Vulnerability Management Tools
- No one vendor has a solution or set of technologies that completely addresses all aspects of the vulnerability management life cycle.
- Several key questions can assist you in evaluating vulnerability management tools and, hopefully, in identifying gaps in terms of capabilities.
Commercial Vulnerability Management Tools
- The vulnerability management market is changing frequently due to mergers, acquisitions, and alliances. Numerous vendors provide tools in this space, so you must identify your needs prior to evaluating technologies.
Open Source and Free Vulnerability Management Tools
- The open source community has created some great security tools.
- No one tool provides a complete vulnerability management solution.
- It may not require much effort to create interoperability between open source vulnerability management tools.
Managed Vulnerability Services
- Set some serious guidelines and detailed service-level agreements to ensure that no one becomes disappointed with the delivery of a service.
- Before selecting a vendor, confirm which products the vendor is using and how the information is distributed to interested parties.
- Ensure that you have access to the raw data.
Vulnerability management tools
1: Evaluating vulnerability management tools
2: Commercial and open source network tools
3: Summary/Fast track