Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

The best free vulnerability risk assessment tools

Application security expert Michael Cobb discusses three free vulnerability risk assessment tools you should consider leveraging in the enterprise.

What are the best free tools available that can help enterprises conduct a vulnerability risk assessment?

A vulnerability assessment involves identifying and quantifying resources residing on a network, then identifying and prioritizing any vulnerabilities or potential threats to each of these resources. The number of free, enterprise-grade tools to complete these tasks is not as great as an initial search on the Internet might suggest. Many tools that were once open source, such as Nessus, have been turned into commercial products, while others offer only a free version for use only in the home or on a network of limited size. Nessus was certainly the premier open source vulnerability scanner, but Tenable Network Security changed it to a proprietary license in October 2005. I would therefore recommend OpenVAS, which began as a fork of the original Nessus project.

OpenVAS is a framework of several services and tools for vulnerability scanning and management. It maintains a public feed of more than 33,000 network vulnerability tests, and is regularly updated. Various other free security tools are integrated into OpenVAS, including plug-ins such as Nmap, a utility for network discovery and inventory. One of the critical tasks in a vulnerability assessment is discovering all the resources that exist within the network infrastructure; Nmap is one of the best tools for doing this. Organizations often omit the discovery phase when they conduct a vulnerability risk assessment, instead working from what they know (or what they think they know) is on their network. Using Nmap provides a comprehensive inventory for both assessment and audit purposes.

Enterprises that operate a Microsoft-based network have the option of using Microsoft's free Baseline Security Analyzer (MBSA), a standalone security and vulnerability scanner designed to identify common security misconfigurations. It also includes built-in checks for Windows administrative, Internet Information Server and SQL vulnerabilities, and missing security updates for Windows operating software and Office applications. The reports produced by MBSA show severity ratings for any failed checks in accordance with Microsoft's security recommendations, and offer specific guidance on how to fix any problems. The Microsoft Security Blog has more information about its other free security tools.

If an enterprise runs Internet-facing services, Web application vulnerability scanning is very important; the majority of vulnerabilities are found at the application layer, and this is where attackers focus most of their efforts. The leading open source penetration testing tool is Metasploit, which can be used to simulate attacks on a network to assess and validate vulnerabilities and verify the effectiveness of the security controls used to mitigate them.

No vulnerability risk assessment tools -- free or paid for -- are plug and play, set and forget. Although free tools can offer great value, security teams need time to learn how they work, how they can be used without severely disrupting day-to-day network traffic and operations, and what the results and reports mean.

Of course, there is no point in conducting a risk assessment if the findings aren't acted upon and controls put into place to mitigate any vulnerabilities it finds. This is the stage in vulnerability management that actually reduces risk and strengthens an enterprise's overall security posture. Remember, too, that a vulnerability risk assessment is not a one-off event but rather an ongoing activity. Once the security team has acted on the results and deployed the appropriate security controls, it will probably be time to repeat the process.

SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)

This was last published in July 2014

Dig Deeper on Risk assessments, metrics and frameworks