First, look at vulnerability scanners that can test networks, systems and applications. These are usually three separate product categories, but since any of your systems can be compromised by any attack vector, you'll need all three in order to compile a comprehensive list of what is vulnerable.
You may also want to look at an automated penetration-testing product. There are both open source and commercial options available; these can take vulnerability scanners to the next level and help you determine not only what is vulnerable, but also what can be exploited.
Finally, consider some good old-fashioned elbow grease in your risk assessment as well, in the form of a penetration test performed by humans. This can help you understand both the physical and logical places where your networks and/or systems can be compromised. Software is still evolving and can't really evaluate all of the social engineering techniques that modern-day hackers employ.
So in a nutshell, it's a little more complicated than going down to Best Buy and buying a yellow (or green) box to fix your problems. You'll need to use a variety of tools, assemble and assimilate the results and figure out what is truly at risk. So your most effective software is going to be the OS running in your brain.
For more information:
Dig Deeper on Sarbanes-Oxley Act
Related Q&A from Mike Rothman, Contributor
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.