Friday, November 10, 2006

Vulnerability Stack

Enterprise security professionals have the responsibility of dealing with vulnerabilities. They have to find and fix as many issues as possible wherever they happen to pop up. Varying from one environment to the next, this can be a REALLY big job. To keep up many enlist the help of commercial and open source solutions. The problem is there are perhaps 100’s, or more, vulnerability management/assessment/scan/remediation/consulting vendors all targeting a specific niche of the vulnerability stack in their own special way. It’s a confusing landscape to say the least.In my position I get asked a lot about who covers what, how is it different from the other guy, or how good is it. I do my best to keep track of these things since it’s my business to know and want to give educated answers. I thought it would be helpful to create a couple of graphics that people researching solutions would be able to use. Less confusion = good.

The first graphic is my take on the “vulnerability stack”, the areas of focus for vulnerability scanning/assessment solutions. This is helpful for asking vendors what area they cover. There are probably some areas I missed, but it’s a first draft. If my technical vulnerabilities and business logic flaws terminology is confusing, please see Technology Alone cannot Defeat Web Application Attacks: Understanding Technical vs. Logical Vulnerabilities


The second graphic is a vulnerability scanning/assessment vendor comparison chart. Here we’re trying to answer the “who covers what question?” and a foundation to ask how they are different. I know some will vendors claim they do more that what the chart indicates, but I’m listing only their main areas of focus. If someone happens to add a web application vuln check or two, it doesn’t make them a network scanner. Likewise if web application scanners adds a few network checks, it hardly a new Nessus. A decent amount of comprehensiveness in the block is required. Enjoy!


6 comments:

Anonymous said...

Nice chart. You might want to consider turning off the spell checker and re-exporting it...

(Not trying to be snarky, consider this a bug report and a genuine compliment in one.)

Jeremiah Grossman said...

darn, that was the second time someone mentioned that, so it had to be fixed. The red underlines have been removed from the image. Thanks for the feedback!

Anonymous said...

Nice framework! Don't forget databases (ex. Oracle), packaged apps (ex. PeopleSoft), and custom apps.

Anonymous said...

Where's Internet Security Systems? A big market leader should show up, right?

Jeremiah Grossman said...

Thank you for the comment and made some updates to the vulnerability stack image and added ISS to my vulnerability comparison chart. I'll probably need to update this again to match the stack image better. These should do for now though.

Adam Scott said...

Security is the degree of protection against danger, damage, loss, and criminal activity. Security has to be compared to related concepts: safety, continuity, reliability. The key difference between security and reliability is that Security System must take into account the actions of people attempting to cause destruction.