I know integrating vulnerability scanning with penetration testing software isn’t a groundbreaking new concept and has been talked about for years now, but I felt compelled to dive into the topic today because it’s still a subject that I find comes up on a regular basis.
When I’m at conferences, I sometimes get asked “So you guys do scanning, right?” I explain politely how Core Security actually provides penetration testing software that integrates with a lot of vulnerability scanners. In fact, our software has been able to easily import the results from network and web scanners since 2005 and filter them for critical, exploitable vulnerabilities – without those pesky false positives.
What do you get out of the deal? No wading through hundreds of pages of reports to figure out what to do next; no analysis paralysis. Just a concise report of the exposures in your environment that are without-a-doubt, 100% exploitable.
Here’s how scanner integration works with our CORE IMPACT Pro pen testing software:
- Run a vulnerability scan to identify and report on vulnerabilities
- Import the scan results into CORE IMPACT
- Run the exploits against critical vulnerabilities identified in the scan results
- Reveal which vulnerabilities pose critical risks
- Safely demonstrate the consequences of a breach – including multistaged threats to backend systems
- Run CORE IMPACT vulnerability validation reports
- Focus remediation on critical issues first
- Re-test patched and updated systems
- Run CORE IMPACT delta and trend reports
- Repeat above steps as desired
Here at Core, we understand the importance of integrating our products with the most widely used vulnerability scanners, especially since a vast majority of our customers use some form of vulnerability scanning as a part of their vulnerability management strategy.
CORE IMPACT Pro currently is integrated with the following network vulnerability scanners:
- eEye Retina Network Security Scanner
- GFI LANguard
- IBM Internet Scanner
- Lumension Scan
- nCircle IP360
- Qualys QualysGuard
- Tenable Nessus
- SAINT Scanner
- McAfee Vulnerability Manager (was Foundstone Scanner)
… and with the following web vulnerability scanners:
See integrated scanning and pen testing this Thursday: Interested in seeing seamless vulnerability scanning and penetration testing in action? I’ll be co-hosting a webcast this Thursday with Morey Haber, VP of product management at eEye. You can click here to register for the event. If you can’t attend, we’ll make sure you get a recording.
August 1 Update: Click here to view the recording of the webcast mentioned above.
So I’ll leave you all with one final thought: As I mentioned before, the integration of pen testing with vulnerability scanners isn’t a profound new concept. However, together these two tools help streamline efforts to improve overall vulnerability management strategies and should not be overlooked.
- Alex Horan, CORE IMPACT Product Manager