What vulnerability assessment tools do you recommend?

What vulnerability assessment tools do you recommend?

I have been researching vulnerability assessment tools. There are a lot of reports saying why one product (usually that company's product) is better than the others. I have also noticed that most of the comparison data is well over a year old with the usual suspects appearing on the list -- Nessus, ISS, eEye, Saint, etc. Which ones do you recommend and why? Personally, I lean towards Nessus for its low cost; it's also been rated as one of the best tools in the comparison data I've researched. Also, do you know of any current comparison data?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

The last comparison report that I saw done by an independent source is more than two-years-old and was done by Network World.

I recommend Nessus and SARA. My reasons are that both are free and have good reputations, and at the time of that last study, a combination of the two tools covered all of the common vulnerabilities that they were looking for. The reason I recommend the free tools, at least to start, is that you may as well clean up all the problems that the free tools find before you bother to invest any money in the commercial products. ISS is a very fine product, but it can be quite expensive. SARA is nice in that the reports that it produces link to the CVE database and generally tell you how to fix the problems that are found. I've often thought that if the Nessus engine had the SARA reporting mechanism, you'd have the best of both worlds. Now, my job has not included scanning systems for about 18 months, so perhaps Nessus has improved its reporting capability in that time. To me, that was always the main drawback to Nessus.

For more info on this topic, visit these SearchSecurity.com resources:
  • Network Security Tip: Vulnerability scanning with Nessus
  • Ask the Expert: Can you recommend some software that would test my Web site's security?
  • Tip: Vulnerability assessment: Leave the scanning to someone else?

    This was first published in May 2004