Strengths: Highly customizable, easy to use, central management and correlation.
Weaknesses: Report engine can be difficult to use, high cost.
Verdict: A capable product with solid enterprise application.
The StillSecure VAM is a solid vulnerability assessment appliance with a longstanding pedigree. The VAM also is available in a software-only version. Implementation of the product is straightforward and the web-based user interface is intuitive. Operation and administration are acceptably easy and a plethora of wizards makes most tasks quick and effective.
Reporting is good and includes many templates. However, setting up reporting can be a bit tedious. As with many of the products we evaluated, VAM supports compliance testing, especially PCI. We found the compliance reporting strong.
We had no trouble implementing the VAM in our test environment. There is a clear install guide that takes you through initial configuration. For much more depth, the user guide offers additional configuration information and specific details on VAM capabilities. The documentation is in PDF files that are loaded with screen shots, examples and menu descriptions.
VAM is Linux-based, but the VAM OS is somewhat purpose built. Today that can mean anything from a completely new operating system to a hardened version of an existing one. In this case, there is a lot of Linux (a hardened version of Red Hat) in the VAM. This makes for an efficient operating environment. We found no obvious way to compromise the VAM OS.
The product provides network mapping and discovery and this can be automated and scheduled. We found performance above average with the appliance identifying over 75 percent of our vulnerabilities. In addition, the VAM can act as a centralized dashboard correlation center accepting scanner output from other scanners, such as Nessus and ISS Internet Scanner, as well as other copies of the VAM.
Support is superior with standard support including email and phone. Additional support packages include product updates and upgrades and rule updates. There is a frequently asked questions section on the website, as well as other useful resources.
We found the VAM to be a bit pricey, however. Although the product performs well and is scalable, at $40 per IP address, the VAM can be quite expensive for large enterprises.