There’s been some inner-industry discussion of late about a couple of vulnerability scanner vendors working to use Metasploit’s fully open source license to tie their existing technologies directly to the free exploit framework. The benefits of doing so could prove to be powerful, some observers contend, if customers of those scanning technologies can feed their vulnerability scan results to Metasploit assess if any flaws they discover could be used by hackers or malware attacks.
Validating vulnerabilities in this fashion will also help users deal with the problem of false positives, an issue that scanner makers have greatly improved upon, but which they all continue to wrestle with.
Back in January 2009, we actually saw another commercial partnership like this, as Tenable Network Security announced that its’ Nessus scanner would be bundled with Immunity Security’s Canvas penetration testing tool in a package aimed primarily at organizations attempting to address compliance auditing capabilities.
At the time, officials with the companies touted the combination as something that would help customers “measure real-world exposure in a manageable way."
Nick Selby, an analyst with the 451 Group, added in the companies’ press release that "combining vulnerability scanning and penetration testing into an integrated package makes increasing sense, as consultants and in-house IT staff work to get the most possible value from existing software,” particularly in a challenging economy, the expert noted.
And we here at Core Security agree with just about everything that these constituencies are saying about the gains that can be realized by pulling these two foundational elements of vulnerability management together… except of course that doing so is anything new.
We’ve been talking about integrating vulnerability scanning with penetration testing software for years, as we’ve built the list of marquis partnerships that we’ve put in place for years with the market’s most widely used scanning technologies.
Core established a partnership with eEye Digital Security to link the company’s Retina scanner with CORE IMPACT four years ago back in Q1 of 2005.
In 2006, we established a similar arrangement with hosted vulnerability scanning services vendor Qualys, and integrated with PatchLink (since renamed Lumension) that has since allowed IMPACT customers the additional benefit of feeding their patch management data into our testing software to ensure that security patches are being deployed correctly. We also maintain integrations with GFI, Harris (now also part of Lumension), IBM-ISS, nCircle and Tenable that allow for users of those scanners to channel results directly into IMPACT.
While all these other companies are still in the nascent stages of trying to figure out just how to make these complex technologies work together, we’ve been serving customers using integrated solutions for years – and a vast majority of our customers use some form of vulnerability scanner with Core IMPACT in this way.
Another important advantage that IMPACT has in this arena, in addition to its years of experience in supporting joint deployments, is that unlike any other penetration testing solution on the market, we have the ability to replicate multi-staged attacks that move across different vectors of attack (networks, endpoints and web applications) to help our customers understand how multiple vulnerabilities can and will be used against you by attackers if you don’t look at the problem from such a comprehensive standpoint.
We’d also argue that our ability to create safe, reliable, truly commercial-grade exploits via the efforts of our 60-person strong development and QA team in combination with Core Labs – with over 1,000 exploits and counting available for use in IMPACT at this point – lends another advantage over any other combination of scanning and testing technologies on the market. And those individual exploits cover testing for well over 5,000 individual vulnerabilities.
So, at the end of the day, we’re actually happy to see other vendors following in our footsteps; it serves as influential validation that other people focused on the vulnerability management space agree that helping customers piece together these vital pieces of the puzzle is the right way to approach things.
Just don’t let anyone tell you it’s a new thing; it’s just new to them.
-Fred Pinkett, VP of Product Management