7

What evaluation criteria would you use to select the right Oracle scanning tool?

Context:

To deploy an automated scanning tool (nessus / SQuirreL etc) for use by both development teams and security teams.

One tool to be used by both teams during the build stage, ongoing management (patching, changes to DB structure) and for assurance related activity (such as internal audit or security review).

One example for this would be:

Ability to restrict password cracking. While this may have value for the security team, I would not want the development team to be able to crack passwords.

So at the risk of now providing my own answer (still keen to have more thoughts on this!). I have come up with the following:

  • Does the tool provide compliance reports generated against own internal standard

This would be useful for the Dev team to ensure build meets required level.

  • Does the tool produce Compliance reports generated against external standard

Such as CIS or NIST, as this would be for the Security team to compare the delta between the approved build and industry best practice.

  • Ability to conduct a Vulnerability Scan

Does the build actually provide enough protection? Using a vulnerability scanning / analysis approach to test the build for security exposure.

  • Dose the tool produce a report on missing patches?

  • Can I restrict scanning to specific assets / user groups?

Any others that would be useful?

AviD
  • 72,138
  • 22
  • 136
  • 218
David Stubley
  • 2,886
  • 1
  • 17
  • 28
  • Do you want the scans to be run continuously or on-demand. Also, do you want devs to be able to configure their own scans, or just trigger/request one? – Scott Pack May 31 '11 at 11:50
  • Good points, this should be on-demand, I think both options for configuration. Would be good to have a defined scan based on internal build requirements and they can just trigger that scan. But also may have value in custome scans so that they then dont have to rely on security too much. – David Stubley May 31 '11 at 12:36
  • I don't know these tools, but re: *Ability to restrict password cracking* - I doubt that's what you mean - you really can't prevent someone from trying to crack a password hash, since it can be done on other machines. Do you mean restricted access to the password hashes? – nealmcb May 31 '11 at 14:44
  • Nealmcb, more focused on not providing the dev team with a tool that has password cracking as inbuilt functionality. – David Stubley May 31 '11 at 15:02

1 Answers1

2

A way to test if one scanner is better than another is to use the scanner against an application that you know is vulnerable to attack. One of the best examples is Wavsep, which was used to compare many open source and commercial applications. All of the results are available, and the only tool to pass all of the tests is Sitewatch, if you don't believe me, then you should try it.

rook
  • 46,916
  • 10
  • 92
  • 181