Secunia VIM v4.0
Strengths: Speed and the ease of delegating assets to various users.
Weaknesses: No significant weaknesses.
Verdict: A very good product for large enterprises.
The Secunia VIM is a real-time vulnerability intelligence and management tool, providing organizations with the necessary information required to analyze vulnerabilities in their IT infrastructure, as well as track them from a centralized dashboard interface. The tool allows organizations to define customized filters according to software responsibility and compliance criteria for each of the recipients in their organization. Personalized security alerts can be issued in real time whenever a new vulnerability in the IT infrastructure is discovered. It also helps ensure compliance through policies and reporting of advisories for each asset. Other features include a built-in ticketing system, proof-of-concept modeling, alternative remediation options, flexible alert formats and more.
The product is a web-based application service and only requires a web browser and internet access to connect to the system. The browser must support first-party cookie settings, session cookies and a PDF reader. If Internet Explorer is used, it should be version 6 and above. Users will also need a username and a passcode (the Secunia password must be changed on first use). During the initial setup, the dashboard was used to indicate which elements were improperly configured or were missing. At one point, we needed to contact support to help understand how to complete the configuration of advisory tickets. The support person was professional and patient. In a very short time, the issue was resolved (our error, as we chose a "product" that did not generate any patch warnings for the past year). Once the asset management options (vendors and products) were properly selected, the vulnerabilities were immediately discovered and tickets issued to multiple support personnel. The well-prepared advisories and associated patches provide clear instructions for the ticketing system. After working through all of the settings and options, the reporting functions were ready for use. The automated and on-demand reports were sent via email. The report options allowed for a wide variety of detailed reports. These were presented in a way that was easy to read and understand. Further, the ticketing system had all of the features one would expect. For example, one of the features within the ticketing module that we found useful was the option to identify whether the assets were out of compliance with specific policies. The "Irrelevance" reporting was a great tool, making it possible to avoid or delay the handling of vulnerabilities that were mitigated by other remediation activities. We also found the speed of this product to be impressive. There was no lag in any of the various functions. Even the historical searches were almost instantaneous.
Eight-hours-a-day/five-days-a-week phone and email support is available at no extra cost. Secunia also provides support on its website, including a searchable knowledge base, as well as a FAQ. Customers have access to a fairly comprehensive community forum for information sharing, access to advisories and more via postings, chats, debates and connection to Secunia personnel. The company provided an excellent technical user guide with screen shots and narratives that mirror (for the most part) the "Help" function within the product. Secunia has opened its 10 years' worth of vulnerability research to the public.
Overall, the value for the cost of this product is good.