Scanning Tools: How Many Do We Really Need?
So Many Tools...
Today we have HTML, XHTML, JSP, ASP, PHP and tons more. There are databases, streaming multimedia, and more scripting languages than I have time and space to enumerate here. As all of this various technology has evolved, the need to test it all to ensure security has grown dramatically.
Unfortunately, because there are so many ways to serve up information, many methods of testing are also needed. We need patch management scanners to make sure everything is patched. We need vulnerability scanners to look for weaknesses in operating systems and the services they host. We need to test out databases to make sure information is stored in a secure manner. And we need to test the Web-based applications that provide this information, to guarantee that there's no way to get around all the other security. We need to make sure our systems follow a standard configuration—not just for security but also for compliance, as governed by the Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), and other entities.
Fortunately, or perhaps not, an entire market has evolved to meet these needs. You can buy patch management solutions, vulnerability scanners, database scanners, application test suites, and compliance software, too. But how many scanners do we really need? Isn't there a better way?