Compliance is a natural extension of a vulnerability analysis tool. Normal vulnerability scanning includes searching for unpatched systems, unprotected directories, and other errors in configuration.
Compliance is a natural extension of a vulnerability analysis tool. Normal vulnerability scanning includes searching for unpatched systems, unprotected directories and other errors in configuration.
Compliance typically adds a set of arbitrary checks that are specific to a particular regulatory regime. For example, a compliance policy might require that a DVD-ROM on a system can only be used by someone logged in locally. That's not really a vulnerability; it's just someone's idea of a particular security policy.
All of the products we tested except for Lumension Scan have a significant compliance component. For some, compliance scanning is also an extra cost or separately licensed option.
In vulnerability analyzers, "compliance" has two main parts: one is defining compliance policies and checks, and the second is generating reports with the specific checks that are called for by the regulatory regime. Because compliance is an entirely separate vulnerability analysis discipline with very different requirements, you should carefully consider the role of compliance testing and reporting before picking a vulnerability analyzer.
The requirements for compliance testing will change depending on the regime you're trying to support, and the feature set is usually more focused on policy auditing and less on getting individual systems securely configured. For example, everyone knows that patching production systems doesn't happen within a few hours of Microsoft's latest update. Compliance reporting is more about reporting on how long it took for you to bring systems back up to specification, than it is helping you figure out which systems need those patches.
If compliance is on your mind as part of a vulnerability analyzer acquisition, we think you should look carefully at eEye, McAfee, Qualys, and SAINT. In our quick look, we were most impressed by McAfee's compliance policy creation tools, and SAINT's ability to quickly import and edit standardized compliance policies based on the three "standard" formats.
There's no end in sight for creepy clown reports thanks to social media hysteria. Dress like a clown,...
The picture was snapped in a mall by an eagle-eyed Reddit user who couldn’t help but notice that a...
By forcing Windows 10 on users, Microsoft has lost the tenuous trust and credibility users had in the...
Social media brings out the darker side of digital introverts and often amplifies slanted views or...
Small business owners and experts share their strategies on how to build a successful, lasting...
New research shows that organizations need to do a better job at verifying certification credentials if...
Nutanix founder and CEO Dheeraj Pandey doesn’t want you to get too excited by today’s hyperconverged...