Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 07/31/06 issue

A holistic view of network risk

The Lab finds vulnerability management software that helps you secure networks and meet government requirements

By Carlos A. Soto, Special to GCN

It’s easy to get patch management software confused with vulnerability management software. In fact, we often hear the two terms used interchangeably. But there are big differences between patch and vulnerability programs, and how secure your network is depends upon how well you understand those differences.

One simple rule of thumb is that vulnerability management software is about policies and procedures. It’s a holistic view of your entire network plus every node. In addition to determining whether you’ve got up-to-date software, vulnerability management finds risks in the passwords your users employ, the applications they load without your knowledge, and more. The best vulnerability management programs investigate how well the holistic view matches the protocols you’ve determined necessary to maintain a secure environment.

Patch management represents a subset of what vulnerability management is supposed to monitor, but in the real world the two platforms have little to do with each other. In fact, most vulnerability management companies, despite including crude patch management features in their programs, recommend a separate and dedicated patch management program to handle the cumbersome task of identifying, testing and installing software patches.

Last year, the GCN Lab reviewed patch management programs [see GCN.com, Quickfind 626]. For this go-round, we moved up the ladder to examine the more complex but very necessary vulnerability management platforms. We tested four enterprise programs from leading vendors in the industry, including AdventNet Inc., Altiris Inc., BigFix Inc. and Rapid7 LLC. A fifth company, eEye Digital Security (www.eeye.com), was not able to get their software delivered and running on our test network by our deadline. And Citadel Security Software (www.citadel.com), which has many government customers, did not respond to repeated requests to participate.

We’re aware there are many solutions we were unable to review, but we chose these products because they were in use in government, demonstrated the full spectrum of vulnerability management capabilities and could meet our rigid schedule.

What we did

Finding a vulnerability management suite for an agency or federal network is challenging. Every agency and office is different, and there are various regulations that distinct agencies must follow, such as The Office of Management and Budget’s Circular A-123 or the Defense Department’s Gold Disk standards.

More news on related topics: Communications / Networks, Software Applications, IT Security



GCN Popup