Vulnerability Assessment Vendors

Q: Do you have any recommendations for the Vulnerability Assessment Vendors / Products / Services?

A: Hi ...,
My recommendations will not be neutral (since I did not evaluate all vendors), but I might help you to identify the better Vendors/Products/Services.

There are so many options maybe that is why recommendations matter. Here is my quick dirty list:

Option 1: You can go to a security consultancy shop and ask for vulnerability assessment service.
All accounting firms and IT consultancy shops will offer something. (PWC, Deloitte & Touché, Ernst & Young, KPMG, Grant Thornton LLP, or BDO)...There are risk management companies like Protiviti who can also offer high end assessment services.

As expected the bodyshops with security practices like CSC and IBM offer the vulnerability assessment services along with the Telcos (Verizon, AT&T etc)

And of course all security integrators offer the service

My quick qualification criteria would be:
1- See the actual resumes of the consultants who will perform your scan, buy consultants not the brand. If possible interview consultants.
2- Check methodology documents from the consultancy shop; make sure that the structure is detailed enough for your requirements. You may also check with frameworks like OSSTMM, OWASP etc
3- Check previous deliverable document (sanitized versions)
4- Check references

Option 2: Using regular vulnerability scanner products in a box : You can start with free Nessus and go all the way with Tenable, NCircle, ISS, Foundstone (McAfee), eEye, Saint etc..
These products require your internal resources but you have the option to automate scheduled or event driven scans.

My quick check list would be:
1- Research arm depth of the vendor, are they using public data or actual vulnerability research information
2- Open source integration, ability to support custom signatures, 3rd party signatures
3- Integration with other enterprise tools, esp. with IPS, SIEM, GRC and help desk systems
4- Easy to use, easy to configure , support for dist. Deployment
5- Ability to understand network topology, (hosts behind firewall, hosts that are not routable or hosts that have host firewall etc)
6- Non-intrusive
7- Speed – Must be fast to scan a large quantity of hosts in a limited time frame


Option 3: Find an in the cloud service offering from product companies or specialists like Outpost24, Qualys (Vulnerability scanner-as-a-service or On-demand vulnerability scanning)., or managed security services providers (MSSPs). Payment card industry approved scanner services (ASVs) may give you good start for the list of service providers
https://www.pcisecuritystandards.org/pdfs/asv_report.html
Lately all product vendors joined the long list of on-demand remote scanning providers

When buying a service make sure that you check both option 1 and option 2 checklists , you need the both. It is also important to see how can a remote scanner company will scan your internal systems, they need a device at your premises (CPE) which should not require a lot of attention firewall configuration etc.. I have also seen that self-service providers should have state of the art portal interfaces to manage your scans. Test portals before moving forward.

Option 4: Specialty Scanners.. So far I have talked about regular network scanners. If you are planning to scan a web application, a database or an enterprise application with XML transactions, you should check different vendors/consultants/services. The criteria are a little bit different, Deep levels of application know-how is a must. There are also a couple of pen test tools in the market (e.g. core impact)

I strongly recommend going over the following ppt to find out what is out there:
http://www.owasp.org/images/f/ff/AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt



Well still no recommendation , but please let me know if you have any specific questions,

Regards,
- yinal ozkan