Do you know where your security holes are?

Qualys and McAfee lead the way in six-vendor test of automated tools that scan and report on vulnerabilities

We all worry that there's some lurking security problem in our servers. We do what we can, patching, following best practices, keeping up-to-date with training and news. But wouldn't it be great to have an automated tool to check our work? That's the promise of vulnerability analyzers: products that detect problems in configuration, applications, and patches.

Used correctly, a vulnerability analyzer can help you stay on top of hundreds or thousands of servers, network devices, and embedded systems. You'll know where to focus your efforts for security remediation, and you'll know that you have a system in place to keep little things from slipping through the cracks and becoming big things.

However, used incorrectly, these analyzers can generate thousands of pages of confusing information, frustrate security and network managers, and end up causing more problems than they solve.

We evaluated six market-leading products for their vulnerability scanner results, reporting features, product manageability, workflow tools, and interoperability with other enterprise products.

Two products stood out: SaaS-based QualysGuard VM, and McAfee's Vulnerability Manager, a software or appliance-based product.

SAINTmanager product line came in third, buoyed by a powerful scanner, but burdened by a weak GUI. Our favorite challenger, eEye Retina CS, paired a strong scanner with a newly-minted GUI. But we found a number of bugs and design flaws that need to be fixed before the product is ready for enterprise deployment. Retina is a relatively new product that is under active development. During the three months we were testing, we saw one upgrade of Retina, and eEye released another just before we went to press.

To continue reading this article register now