Vulnerability testing has changed markedly over the past few years. Hall of Famers in this space have contributed mightily to these changes, which largely deal with redefining what we mean by vulnerability assessment (VA) in the first place. This year's Innovator has been in the thick of this evolution since the first vulnerability test tool was invented in the open source community.
While there have been numerous prequels to the current state of vulnerability assessment (VA) tools, the Big Kahuna has been combining traditional VA with traditional penetration testing to get a sort of super tool that covers the entire vulnerability management waterfront. That term – vulnerability management – is a Holy Grail for this product space. There are good vulnerability management tools available. Some even do both automated VA and pen testing. However, as a genre, these tools have a way to go to be fully baked.
What we have now, in addition to some capable vulnerability management tools, are some very capable VA and pen testing tools. What we don't yet have is everything in a single kit. This year's Innovator is approaching that Nirvana from the VA/pen testing perspective.
VA is not rocket science to perform automatically. VA scans, after all, are pretty automated from the beginning. The scan starts and then reports back its findings in the form of a report – and that's it. Done. Pen testing can be automated, and there are times when that is useful, but it usually doesn't work as well as automating VA does because there always is the necessary human intervention.
But what if one wanted to combine VA and pen testing, automate the process, and make the human less necessary? That would approach the pot of gold and, if one could add the right workflow for remediation and retesting, the goal would be attained. That's where this market needs to go, and this year's Innovator has played a key role, along with other Hall of Famers, to get to this promised land.
Saint is back this year for its second bite at the Innovator apple. This is only proper since Saint has a very long history – one of the longest, in fact, of all of the vulnerability assessment tools. Over that history – which began formally in 1998, although Dan Farmer and Wietse Venema actually released the open source version of its predecessor, Security Administrator Tool for Analyzing Networks (SATAN), in 1995 – Saint has won numerous awards, innovated in many ways, and, in general, helped change the way we test our enterprises for vulnerabilities.
The Saint website gives a good view of what drives the company: “Since its inception in 1998, Saint Corp. has been developing software products to make network security easy and affordable.” Ease of use and affordability have been the company's hallmarks since its inception. However, that has not been an easy road. First, Saint started out running in a *nix environment, rather than on a Windows box. Many novice penetration testers had some difficulty with that, but Saint persisted.
Linux is the primary tool for system hacking. All of the best scripts run on it, and developing new tools is easier than in Windows. The code also tends to be more compact. Today, Saint has added the Mac to its arsenal and that, too, should be no surprise. With its *nix roots, the current Mac operating system is so good for system testing that Macs are slowly becoming the tool of choice for pen testers in general.
One of Saint's major innovations was the integration of penetration testing and vulnerability assessment. Since the network assessment process usually begins with automated or semi-automated vulnerability scans, and progresses to attempting to exploit weaknesses found by those scans, a product that does both – and integrates both results and reporting – is a powerful tool indeed.
Overall, the company's objectives are to develop technology that is more useful for the customer. Saint's vision is to be a leader. That's what drives them: Striving to figure out what the next need is going to be and then producing it. The company is small and agile enough to run with something new very quickly, achieving a speedy turnaround on new products and ideas.
AT A GLANCE
Flagship product: Saint Professional
Cost: $8,000 (roaming Class C, one-year subscription)
Innovation: Combining vulnerability assessment and penetration testing in a single application.
Greatest strength: A holistic view of the vulnerability testing process and a keen ear for customer needs.