Go to CIOLEADERS homepage

The devil lies in the details

By Bozidar Spirovski

Added 29 January 2010

Smart Tips for CIOs to shop for the vulnerability management software


Vulnerability and compliance management offerings are springing up like mushrooms. There is a beehive of activity among Software as a Service (SaaS) companies focusing on vulnerability management to extend their reach. Most companies in this market call their SaaS service as on-demand solutions for security risk and compliance management.

There are four players who are setting the rules of the game: Random Storm, OutPost24, McAfee, Tipping Point and Qualys. Bear in mind that this list does not include all relevant vendors, so you may want to extend your search. But its a representative sample that will help you to review what the competition is offering.

The services are usually delivered as dedicated black box appliances are placed within your infrastructure. They perform the scanning or IPS/IDS (intrusion prevention system/intrusion detection system), but the results are sent to the cloud where reports are generated. Most companies are offering the usual set of services:

  • Vulnerability Scanning: The basic offer of vulnerability scanning may not be great shakes, but it is definitely comparable to your local vulnerability scanner.
  • PCI DSS Scanning: Payment Card Industry Data Security Standard (PCI DSS) was an important differentiator of SaaS vulnerability scanning. PCI DSS required a scan certified by the PCI group and performed by a certified company. So the SaaS Vulnerability Management companies got certified and created PCI DSS scans. But for your everyday job, your local vulnerability scanners have the same PCI DSS scans - all you need is to commission the scan four times a year for the PCI DSS audit.
  • Managed Intrusion Detection: Much like vulnerability scanning, this is more or less what your local IPS/IDS does, but in this case, the results go out and get analysed and compared in the cloud.
  • Reporting and Fix Tracking: This element may be one of the differentiators, but local vulnerability scanners are catching up. In a SaaS solution, all results are kept as reports, and you can easily create comparative baseline reports, or even assign tasks to persons for fixing some vulnerabilities. The system will automatically send reminder e-mails to those persons and re-scan after the configured deadline for fixing.

Vulnerability Management - Local or Managed?
In conclusion, both local and managed solutions are existing quite well at the moment. And function wise they are comparable. So which one should companies look at?

  • The local solution can easily be reconfigured and directed at different targets. It is very flexible and because it is usually installed on a laptop, very portable. It is an excellent choice for anyone who needs to perform scans from different positions in the corporate network. This would include IT security teams, penetration testers, external auditors and consultants.
  • The managed (SaaS) solution is stationary, fixed and quite cumbersome to move around. It usually exists in the datacentre as a black box probe, or in the manager service provider as an external scan. It can be configured with the required targets, scheduled to run at regular intervals and perform regular controls. It is a good choice for internal auditors, security officers and compliance officers, as there is no need for maintenance; it is all handled by the managed service provider.
  • Calculate the optimal price or performance as the SaaS versions are usually yearly subscriptions charged per number of IP addresses to scan. This price may be quite significant, and you are fixed to the block the IP addresses. On the other hand, the local scanners require hardware to run on, and you still pay a subscription for the updates of vulnerabilities. So you need to calculate your optimal cost based on your requirements and expectations.

Bozidar Spirovski of Information Security Short Takes is an expert on security issues. This article is published with prior permission from www.information-security-resources.com

comments powered by Disqus
What is a smart city? The Government's definition

What is a smart city? The Government's definition...

The government of India has detailed out its plans to build 100 smart cities....

How the Indian Government will select 100 cities to become smart cities

How the Indian Government will select 100...

The Ministry of Urban Development (MoUD) has come out with the Smart City...

Benchmark  Prepared  – CSO NEXT  First Award Ceremony

Benchmark Prepared – CSO NEXT First Award...

9.9 Media family adds a new member

related Whitepapers


Dear CIO/CISO, can you define an Advanced Evasion Technique (AET)?