This article can also be found in the Premium Editorial Download "Information Security magazine: Security Readers' Choice Awards 2008."
Download it now to read this article plus other related content.
Vulnerability assessment and management systems
Information security's biggest vendors may be claiming a stake in the vulnerability management market, but privately held Qualys isn't having any of it.
Taking the top prize in this category for the second consecutive year, QualysGuard Enterprise specializes in automated vulnerability identification and remediation for large organizations with thousands of devices across segmented and remote networks.
Readers once again gave the product high marks across the board, lauding its ability to quickly and accurately identify vulnerabilities, breadth of applications and devices covered, and the vendor's service and support.
Like many vulnerability management products, QualysGuard is spreading its wings beyond strict vulnerability management with a strong emphasis on policy compliance, specifically with new features to enable documentation, enforcement and audit for internal security policies, industry regulations and government mandates.
NOTABLE It's not all roses. Current Analysis research director Andrew Braunberg says Qualys and other key players know the standalone vulnerability management market is fading away. "I think a broader compliance management play will be an easier transition for them, and they've already started it."
McAfee Foundstone Enterprise
McAfee's vulnerability management product finished a close second, as readers noted its scalability, strong workflow and return on investment.
In addition to its baseline features, such as priority-based audit and remediation, discovery of unmanaged devices and its varied reporting options, version 6.5 of Foundstone Enterprise offers new scan management that enables scans to be run without selecting a specific scan engine. The latest edition can also import data from LDAP or Active Directory servers to more quickly identify IP addresses for scan configurations.
Perhaps most notable are numerous new policy audit features, such as Windows and UNIX host-scanning for predefined policy violations. The product also offers policy templates to help organizations check their compliance status against major industry mandates like SOX, GLBA, PCI DSS and FISMA, among others.
Current Analysis' Andrew Braunberg says McAfee wasn't quick to take advantage of Foundstone's technology following the 2004 acquisition, but that he's impressed by its new direction. "They were really a company that couldn't focus, but now they have this broad risk management play, and Foundstone was the start of that."
NOTABLE Foundstone On-Demand offers similar features via a hosted service.
This was first published in April 2008