This IDC white paper examines key trends in the vulnerability management and assessment (VA&M) market and identifies the value of penetration testing as part of a comprehensive security methodology.
moc.cdi.w I D C E X E C U T I V E B R I E F ww 510 P e n etr ati o n Te s ti n g : T aki ng th e 4.539 G u es sw ork Out of V ul ner a bili t y .805. M an a ge m e n t F 002 June 2005 8.278. Adapted from Worldwide Vulnerability Assessment and Management 2004–2008 Forecast and 2003 805 Vendor Shares: Assessing Risk and Compliance, by Charles J. Kolodgy; IDC #32026 .P ASU Executive Overview 10710 Today, IT managers currently have limited capability to assess real A risk, technically validate the effectiveness of security products they M , use, and make intelligent IT security investment decisions. mahgni This Brief will discuss how penetration testing software can efficiently mar address these challenges. Penetration testing is an important F t addition to the vulnerability assessment and management (VA&M) eert portfolio in that it picks up where "scan and identify" products leave S n off, substantiating whether theoretical threats to network security are ee real or not. Penetration testing software provides the capability to pS test the overall IT security infrastructure and polices to ensure that 5 :sr an organization's security investments are actually working. This etr capability will become increasingly important as companies continue auq to spend more on solutions to protect their information assets and dae meet compliance requirements. Management will need to justify H l those investments by proving that they are indeed paying off. abolG Penetration testing is necessary for organizations to:
. Understand the actual risk to their business posed by specific vulnerabilities
. Test the security of their network
. Determine if their current security investments are actually detecting and preventing attacks
Penetration testing software represents the best option for doing so.
05C4497 Introduction The network security efforts of IT managers have so far been focused on keeping the bad guys at bay. Traditionally, this has been accomplished by trying to outsmart hackers by creating barriers or providing defensive mechanisms once a vulnerability was identified. As networks become more complex, however, it's impossible to protect everything. Instead, managers need to prioritize their security to protect the most critical assets and ensure the technology they have deployed is functioning as effectively as possible. Vulnerability scanners can help, but the list of potential vulnerabilities produced by a scanner can be dauntingly long and not wholly accurate.
Additionally, managers should probe deeper to understand the true threat to assets when specific vulnerabilities are exploited on their network. A new class of penetration-testing software products has emerged to do this. These products represent a potential solution for managers to test the security of a network, identify what resources are exposed, and determine if current security investments are actually detecting and preventing attacks. This Brief examines key trends in the vulnerability assessment and management (VA&M) market and identifies the value of penetration testing as part of a comprehensive security methodology.
The Need for Better Vulnerability Management IT infrastructure is getting more complex, and wider access to internal networks is being granted to credentialed users located outside the firewall. Today, IT managers currently have limited capability to assess real risk, technically validate the effectiveness of security products they use, and make intelligent IT security investment decisions.
In addition, the following factors are driving demand for better vulnerability management solutions:
. Organizations need something more than a status check and a laundry list of items to fix. Scanners are good for detecting potential flaws, but companies need to know not only what vulnerabilities they have, but also a means of measuring policy compliance and risk management. Most organizations do attempt to patch known vulnerabilities, but patching everything is not a practical or necessary step in every case. Furthermore, enterprises need to understand their organization’s true exposure in the event of a “real” security compromise.
. Government requirements for security and privacy have become more demanding. Organizations of all sizes have to be concerned about their ability to measure their compliance to security requirements. For ... [download for more]
