I have been researching vulnerability assessment tools. There are a lot of reports saying why one product (usually that company's product) is better than the others. I have also noticed that most of the comparison data is well over a year old with the usual suspects appearing on the list -- Nessus, ISS, eEye, Saint, etc. Which ones do you recommend and why? Personally, I lean towards Nessus for its low cost; it's also been rated as one of the best tools in the comparison data I've researched. Also, do you know of any current comparison data?
The last comparison report that I saw done by an independent source is more than two-years-old and was done by Network World.
I recommend Nessus and SARA. My reasons are that both are free and have good reputations, and at the time of that last study, a combination of the two tools covered all of the common vulnerabilities that they were looking for. The reason I recommend the free tools, at least to start, is that you may as well clean up all the problems that the free tools find before you bother to invest any money in the commercial products. ISS is a very fine product, but it can be quite expensive. SARA is nice in that the reports that it produces link to the CVE database and generally tell you how to fix the problems that are found. I've often thought that if the Nessus engine had the SARA reporting mechanism, you'd have the best of both worlds. Now, my job has not included scanning systems for about 18 months, so perhaps Nessus has improved its reporting capability in that time. To me, that was always the main drawback to Nessus.
For more info on this topic, visit these SearchSecurity.com resources:
Dig Deeper on Risk assessments, metrics and frameworks
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.