The pen test is mightier: Vulnerability management
Peter Stephenson, technology editor, SC Magazine
This month we take up vulnerability management tools. This is, like just about everything we are seeing this year, a rapidly evolving category. Ever since the classic paper by Farmer and Venema in 1993 on penetration testing (“Improving the Security of Your Site by Breaking Into It”), the field of vulnerability assessment and penetration testing has evolved rapidly and the tools have come along as well.
Strangely, the tool created by Farmer and Venema – SATAN – was, for the time, what we certainly would consider a penetration testing tool. However, it met with mixed response. Hacking one's own site, it seemed, was just too much for some security pros, not to mention management, to swallow. But the cat was, so to speak, out of the bag. The idea of doing unto yourself as others would do unto you – but doing it first – was a beguiling idea – especially since the hacking community at the time was really just getting up a head of steam.
The evolution progressed in a couple of directions. First, there were the hard-core security pros who understood the benefits of hacking one's own site to see what the bad actors saw and then fixing it before they found out. Then there were the gentler souls who wanted to know what might allow a successful hack and so head it off before it happened. They argued that pen testing or, as IBM marketers put it, “ethical hacking,” not only was an ethical bridge too far, it didn't necessarily uncover all of the holes in the system. Vulnerability assessment was born.
After a while the really savvy pros started to understand that a vulnerability sometimes really was not an important vulnerability if it could not be exploited. We've all done vulnerability assessments that gave us a zillion hits, but 99 percent of them were not particularly useful. So these folks hit on an approach: Run the VA and then test the findings with penetration tests to see if the holes could be exploited. Some tools even went so far as to build both capabilities into the same tool. Open source tools flourished and tools such as Metasploit took the market by storm.
Then – in the past 18 months or so – things got too complicated for this approach by itself. Now it is necessary to understand how the bad actors are likely to develop an attack and whether it might succeed. We also want to know what – if success is indicated – we can do to break the cycle. We developed the “kill chain” to help us understand the attack process and tools started taking attacker creativity into account. Toss in some malware, phishing and the like and the threatscape is pretty hairy.
Finally, a few years back the notion of managing vulnerabilities emerged. That meant that we needed patch management and test/re-test cycles added into the mix. And that, pretty much, is where we are today. Today's batch of vulnerability management tools are a mix of just about any capabilities you can imagine to keep tabs on the vulnerability exposure of your enterprise and manage that exposure to lessen risk as much as practical. And where we are today is what this month's collection of tools is all about.