Vulnerability Tools Get Teeth

Vulnerability assessment tools aren't just for scanning devices and spitting out a list of vulnerabilities anymore: VA tools are now being bundled with configuration management, policy, and penetration testing functions. Some vendors, like StillSecure, even envision VA eventually becoming part of the network access control (NAC) equation.

"It's definitely not dead," says Ron Gula, CEO of Tenable Networks, which sells the popular Nessus vulnerability scanner. "There are people who scan several million IP addresses per day, and penetration testers are still using it [the vulnerability assessment tool]. If VA scanning were dead, we wouldn't have 80,000 people downloading us as plug-ins."

But Gula admits that VA, including Nessus, is evolving. Aside from pinpointing vulnerabilities, Nessus also enumerates all hosts and devices connected to Web services, SNMP, and other network services, he says.

The trouble with merely finding vulnerabilities with a VA scan is each vulnerability doesn't necessarily equal a risk. And the sheer volume of vulnerabilities can be overwhelming.

"I don't think you're ever going to lose the need to scan your stuff. The question is what you do with that data and how you make it actionable," says Michael Rothman, president and principal analyst of Security Incite.