Making the Perfect Pair – Penetration Testing and Vulnerability Scanning

July 27, 2011

Box art for the 1981 David Cronenberg film, Scanners. Box art for the 1981 David Cronenberg film, Scanners.

I know integrating vulnerability scanning with penetration testing software isn’t a groundbreaking new concept and has been talked about for years now, but I felt compelled to dive into the topic today because it’s still a subject that I find comes up on a regular basis.

When I’m at conferences, I sometimes get asked “So you guys do scanning, right?” I explain politely how Core Security actually provides penetration testing software that integrates with a lot of vulnerability scanners. In fact, our software has been able to easily import the results from network and web scanners since 2005 and filter them for critical, exploitable vulnerabilities – without those pesky false positives.

What do you get out of the deal? No wading through hundreds of pages of reports to figure out what to do next; no analysis paralysis.  Just a concise report of the exposures in your environment that are without-a-doubt, 100% exploitable.

Here’s how scanner integration works with our CORE IMPACT Pro pen testing software:

  1. Run a vulnerability scan to identify and report on vulnerabilities
  2. Import the scan results into CORE IMPACT
  3. Run the exploits against critical vulnerabilities identified in the scan results
  4. Reveal which vulnerabilities pose critical risks
  5. Safely demonstrate the consequences of a breach – including multistaged threats to backend systems
  6. Run CORE IMPACT vulnerability validation reports
  7. Focus remediation on critical issues first
  8. Re-test patched and updated systems
  9. Run CORE IMPACT delta and trend reports
  10. Repeat above steps as desired

Here at Core, we understand the importance of integrating our products with the most widely used vulnerability scanners, especially since a vast majority of our customers use some form of vulnerability scanning as a part of their vulnerability management strategy.

CORE IMPACT Pro currently is integrated with the following network vulnerability scanners:

… and with the following web vulnerability scanners:

See integrated scanning and pen testing this Thursday: Interested in seeing seamless vulnerability scanning and penetration testing in action? I’ll be co-hosting a webcast this Thursday with Morey Haber, VP of product management at eEye. You can click here to register for the event. If you can’t attend, we’ll make sure you get a recording.

August 1 Update: Click here to view the recording of the webcast mentioned above.

So I’ll leave you all with one final thought: As I mentioned before, the integration of pen testing with vulnerability scanners isn’t a profound new concept. However, together these two tools help streamline efforts to improve overall vulnerability management strategies and should not be overlooked.

- Alex Horan, CORE IMPACT Product Manager

 

  • Penetration testing

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!