Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How to select the best security assessment tool for the job

Here are four factors to take into account when choosing a security assessment tool.

A wide range of testing gizmos are available that can perform security vulnerability assessments, including basic...

port scanners, network and OS vulnerability assessment tools -- even complex Web application penetration testing programs. If you need to perform a security vulnerability assessment or plan to outsource one, it pays to know which security tools work best for particular tasks and to take the time to choose the right tool.

Basic port scanners that I find very useful are Foundstone's SuperScan and Fyodor's nmap. These scanners can be used for initial reconnaissance probing to map out a network and to gather information on live systems and services that are running on the network. SuperScan 4.0 even offers up some more advanced Windows enumeration features that can prove beneficial for further poking and prodding.

Security vulnerability assessment (VA) tools are available as freeware, open source or commercial products. These tools not only have features to map out the network, but they go deeper to see what's actually running and to identify known and potential vulnerabilities. The security tool spectrum is broad. Solutions range from ASP-based tools such as Qualys' QualysGuard, other commercial GUI-based tools such as Application Security's AppDetective and Elcomsoft's Proactive Windows Security Explorer that are very simple to configure and operate, to tools that require more technical knowledge to use such as the GUI-based Nessus and the command-line based Nikto.

With so many options, it's hard to decide what's best for your specific environment. Your goal is to avoid devoting endless, non-productive hours trying to figure out how to use a complex "free" utility that in the end offers limited value or using a simple GUI-based tool that doesn't offer quite the "functionality" that the marketing folks want you to believe. So, here are several steps to help you pick the proper security assessment tool:

  1. Outline specific goals
    Before you research and analyze available assessment tools, define specific goals. There's no security assessment tool that performs all possible security tests. Identifying your goals will determine whether you require a port scanner to check for live systems, an application scanner to check for Web application vulnerabilities or a network analyzer to show what protocols are running. Higher-end commercial "all-in-one" VA tools can miss vulnerabilities that more specialized tools can find (i.e., an OS assessment tool won't be able to dig into Web apps as deeply as a Web application testing tool will -- if at all). If your research proves the tool isn't likely to address your goals, find another. Even once you've made a selection, if the tool generates a lot of false-positives (common in most tools) such as patches that aren't really missing and Web application files that don't really exist, that could be an indication that you're not using the right tool -- consider looking for a tool that's a better fit.
  2. Start with freeware and open source tools
    Freeware and open source tools are indispensable. They can help cut down on the costs associated with testing – especially if you're looking for port scanning, OS enumeration and password cracking capabilities. I use them all the time and recommend others do the same. However, I have found that even the top-notch freeware or open source tools often require the complementary functionality of commercial-based products as back-up for ensuring broad vulnerability testing and detailed reporting.
  3. Employ diagnostic experience
    Keep in mind that of all the security assessment tools in the world -- whether freeware, open source or commercial – none can replace good old-fashioned diagnostic experience. While good tools generate strong results, human expertise is required for proper analysis of scan results. This requires someone who can look at open ports, protocols discovered, OS policy settings and even patches that are supposedly missing, to determine whether or not it actually applies to your network. This type of expertise is best gained through good old-fashioned experience. However, expertise can be developed through the various hands-on ethical hacking courses. You can always outsource your testing or results analysis as well if necessary. An outside set of eyes is a good way to catch security weaknesses that may otherwise be overlooked.
  4. Select broad reporting features
    Aside from the required vulnerability testing features (OS, Web applications, password cracking, etc.), VA tools should generate a variety of useful reports, including those for technical, developer/QA and for upper management audiences (who often prefer nice graphical reports with color pie charts and bar graphs). Strong report features help you to explain and highlight test results, and they're also good for documenting regulatory compliance, sharing with business partners and customers, and more. This sharing of non-technical information regarding the state of information security (number of vulnerabilities, trends, etc.) is essential for keeping management in the loop and showing that their money is being spent wisely.

A lot of effort goes into testing for security vulnerabilities. If you find the right security tools, you and your team members can work smarter not harder when performing ongoing security tests. It's important to budget time for learning new tools as well as money for initial purchases and ongoing maintenance costs for the commercial tools. By selecting the right tools to maximize your time and money, you can increase your chances of working more effectively to find more security vulnerabilities, gain ongoing support for information security and set up an environment that makes your job a little easier. We could all use some of that.

About the author
Kevin Beaver is the founder and principal consultant of the information security services firm Principle Logic, LLC based in Atlanta, Ga., where he specializes in information security assessments and incident response. He has more than 16 years of experience in IT and is the author of several books on information security including the new title Hacking For Dummies by Wiley Publishing. Kevin can be reached at [email protected].

This was last published in November 2004

Dig Deeper on Risk assessments, metrics and frameworks