Is the plain vanilla vulnerability assessment scanner dead?
Vulnerability assessment tools aren’t just for scanning devices and spitting out a list of vulnerabilities anymore: VA tools are now being bundled with configuration management, policy, and penetration testing functions. Some vendors, like StillSecure, even envision VA eventually becoming part of the network access control (NAC) equation. “It’s definitely not dead,” says Ron Gula, CEO of Tenable Network Security, which sells the popular Nessus vulnerability scanner. “There are people who scan several million IP addresses per day, and penetration testers are still using it [the vulnerability assessment tool]. If VA scanning were dead, we wouldn’t have 80,000 people downloading us as plug-ins.” But Gula admits that VA, including Nessus, is evolving. Aside from pinpointing vulnerabilities, Nessus also enumerates all hosts and devices connected to Web services, SNMP, and other network services, he says. The trouble with merely finding vulnerabilities with a VA scan is each vulnerability do