Various types of automated, semi-automated, and manual process-assistive tools exist that can be used to find and analyze vulnerabilities in information systems and networks. In this blog the system and network elements assessed by a tool will be referred to as the targets of that tool. Before discussing the VA tools, one needs to understand, which are not VA tools but are used during overall assessment process. Below are the types of tools which are not VA tools:
Compliance validation tools
The main purpose of compliance validation tools is to verify a target’s compliance with some sort of regulation, policy, or guideline, such as a security configuration guideline, a policy or regulation mandating a certain set of security controls, or a set of patch management requirements. Compliance tools are not vulnerability assessment tools as they do not seek the presence of vulnerabilities.
Continuous monitoring tools and intrusion detection systems (IDS)
The main purpose of these tools is to detect changes in a system’s behavior, or in the patterns of network traffic payloads or application data inbound to or outbound from the target, that could indicate the presence of attack activity. Such behavior or traffic changes often have the result of revealing previously unknown vulnerabilities and/or causing new vulnerabilities to emerge. In addition, the user of the tool can often infer from the success of a given attack that a previously unknown (or known but unmitigated) vulnerability or vulnerabilities had to have been present to be exploited by the attacker.
Vulnerability mitigation tools
While the use of tools such as patching tools and configuration lock-down scripts strongly suggests that vulnerabilities must be present that need mitigation, such tools do not seek, analyze, or assess those vulnerabilities.
General network and operating system analysis tools and scanners
Utilities and tools such as host, finger, Nmap, Ethereal, NetScanTools, Wireshark, etc., are used in examining and understanding the attributes, architecture, configuration, or operation of a target. These tools do not explicitly detect or analyze/assess vulnerabilities in that target.
Developer security testing tools
Tools intended for use by application or system developers, testers, or integrators to detect and analyze flaws, defects, and weaknesses in the architecture, design, or code of a target before that target is deployable, e.g., during its development life cycle. An example of such a tool is a static source code analyzer.
Known-malicious intrusion and monitoring tools
This blog excludes individual “black hat” tools, such as sniffers, spyware, keystroke loggers, bots, and Trojan Horse programs that are designed by hackers to help them find vulnerabilities to exploit. However there are a number of vulnerability assessment tools of which sniffers and other “non-intrusive” (i.e., surreptitious) monitoring agents are legitimate components. It is not possible to determine the original pedigree of all such sniffers/agents; in the case of some open source tools, especially automated penetration testing tool suites, it is possible that some of their components did start out as hacker-originated tools, but have been turned to “white hat” use.
By “obsolete”, I mean tools that have not been updated since 31 December 2008 and/or which do not appear to be currently supported by their suppliers (vendors or open source developers).