Failure to fix known software vulnerabilities is a big reason why organizations' networks get breached. In some cases organizations run software with known vulnerabilities for years. Forty-four percent of known breaches in 2014 were caused by unfixed vulnerabilities that were between two and four years old, according to HP's Cyber Risk Report 2015.
This is why vulnerability assessment tools are so important. Some work in a similar way to anti-virus scanners, methodically scanning through all your applications, identifying them and their version, and cross referencing them against a frequently updated database of vulnerabilities. They then flag any vulnerable software that you may be running. A good scanner should also make it easy to update the vulnerable application or mitigate the risk in some other way.
Other tools such as Web server and application scanners probe applications to see if they are vulnerable to certain types of attack (like SQL injection) by scanning for poor code or coding errors such as incorrectly filtering escape characters in user input.
Automated Vulnerability Assessment
An automated approach to spotting known vulnerabilities is important because the security of applications changes over time as new vulnerabilities are discovered, and new vulnerabilities are discovered every day.
As an illustration of this, container management company CoreOS reported recently that 80 percent of the Docker images stored in its container image repository had well-known vulnerabilities such as Heartbleed. It's likely that many of these Docker images had no know vulnerabilities when they were created, but anyone checking out and using one of these images a few months later would be vulnerable - unless the image was scanned for vulnerabilities beforehand.
In practice it is impossible for larger organizations to fix every vulnerability immediately because of the need to extensively test patches and updates. That means good vulnerability assessment tools will include or integrate with some sort of risk assessment and prioritization tool, enabling you to concentrate on fixing vulnerabilities that represent the highest risk.
Penetration testing tools can help by allowing you to see if a particular vulnerability can be exploited successfully in your environment without detection and prevention by any of your security systems. (Here's a list of 10 open source penetration testing tools.)
If it can't be exploited without prevention or detection, a vulnerability can be marked as relatively low risk and fixing it can be de-prioritized.
Open Source Vulnerability Assessment Tools
As with other security tools, open source software can offer a low cost and highly flexible alternative to proprietary tools.
Because maintaining a list of vulnerabilities (and discovering new ones) is a significant task, many of the early open source vulnerability scanners such as Nessus and SAINT have morphed into proprietary products. Nessus is now owned by Tenable Network Security, and the company produces updates for new vulnerabilities within 24 hours of a new vulnerability's release.
Open source vulnerability scanners do still exist, however. For example, the last open source Nessus code was forked into a new project called OpenVAS which is also maintained on a daily basis.
Many proprietary vulnerability scanner vendors have now expanded beyond their primary goal of vulnerability scanning. For example, SAINT Corporation offers a broader product called SAINT 8 Security Tool Suite which includes prioritization, remediation ticketing, risk assessment and audit and compliance reporting. And its SAINTscanner product has an integrated penetration testing tool called SAINTexploit which can be used to help assess how viable a vulnerability really would be to exploit in your environment.
Open Source Security Distributions
While not as convenient as using a single product, the good news is that you can replicate much of the functionality of these popular proprietary vulnerability assessment suites by using a range of more specialized open source vulnerability assessment tools. Many of them are conveniently bundled in security distributions such as Offensive Security's Kali Linux.
Read about 10 of the most useful open source vulnerability assessment tools.
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.