Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Tech Insight: Free Versus Commercial Vulnerability Scanning Tools

Free, open-source vulnerability scanning tools are not always cheaper than their commercial counterparts

When it comes time to implement a vulnerability scanning program within your enterprise, should you be considering free and open-source tools or focusing only on commercial solutions? This question regularly comes up when security teams are faced with budgetary issues and are left wondering whether they can afford the hefty price tag that goes along with most enterprise scanning products.

The price tag is not the sole issue, however. The choice of free vs. commercial is also a highly debated topic when the realization hits that commercial scanning products are not a "set it and forget it" solution that automatically meets all of an organization's needs. This naturally causes an internal push to create a custom solution built around tools that would involve custom programming to automate the scanner, convert and feed the results into a database, email asset owners of new vulnerabilities, and interact with a ticketing system to track when issues are resolved -- not a small endeavor.

The question that management wants answered is, can they rely on free and open-source vulnerability scanning tools when the business is at stake? Can the free tools scale and integrate into existing workflow like the commercial solutions promise? What is it about commercial tools that make them any more or less effective at identifying vulnerabilities as the open-source options available?

Nothing. In fact, I have found in my work as a penetration tester that I regularly get better and more accurate results from open-source tools than I can from commercial products. Is that because the tools are better? Sometimes, but I attribute the difference based on how quickly they are updated, my knowledge of how the tools work, and my ability to modify them as needed for the particular situation –– not something I can do with the majority of the commercial security tools available.

With commercial vulnerability scanning tools, they are usually a black box, sometimes an appliance, where you push a "Scan" button in the user interface and get the results 20 minutes or hours later. Then, you move on to the task of remediating the issues that were identified. That is, unless a problem occurs. And this is where the key differentiator comes into play: technical support. Being able to pick up the phone and receive technical support is a major factor when deciding between free and commercial tool.

On the flip side, the free tools vary greatly in the amount of support available. I've seen emails and tweets to tool authors go unanswered because the tool was created as a proof-of-concept for a specific vulnerability, and the author had no desire to support it after its release. When those attempts fail, getting help might require a visit to that scary, dark area of the Internet known as IRC, where the hackers (and security tool developers) lurk and help can be found for the tool written solely for, and not touched since, the related Black Hat presentation last year.

That last paragraph paints a dark picture for free tools, but, thankfully, there are plenty of awesome security tools that receive a large amount of support from their developers and user community. The Kali Linux (formerly Backtrack Linux) is a great example of a project built around many free and open-source security tools that has extremely supportive developers and a large user base willing to help with problems. Similarly, there are projects that started with free tools and now have a mix of free and commercial offerings, like Metasploit and Burp Suite -- both with very active developers and community support available on forums, mailing lists, Twitter, and IRC.

Getting back to the issue at hand, is it safe for enterprises to rely solely on free tools for their vulnerability scanning program? The better question is whether an enterprise is willing to take on the effort to make the free tools work in their environments. The answer is usually no, not unless their security teams areoverstaffed and can afford to allocate two to five people at the initial design and implementation.

The team will need to integrate those free tools into something that is reliable and can provide actionable data so the enterprise can secure its resources and strengthen its overall security posture. But don't forget about the cost of maintaining the custom code, dealing with keeping the tools relevant, and fixing problems that may arise from upgrading as new versions of the tools get released. Oh, and there are support issues that may come up, and who wants to be the yelled at by the CIO when something breaks?

The most successful and effective vulnerability scanning programs I've encountered use a combination of commercial and free tools. The commercial tools handle most of the heavy lifting because they can track the vulnerability from initial discovery to its resolution. The free tools provide validation, possibly going as far as exploiting the issue and helping identify the true risk to the business if an attacker were to do the same.

Finally, it's important to point out that commercial vulnerability scanning solutions are not simply plug and play. They will require configuration and customization to match each enterprise environment, which may involve writing custom code to interact with the product's API for more granular control of scans or to dump results from the product's database and import them into an existing bug tracking system.

There is no easy right or wrong answer when it comes to deciding whether to use free, open-source tools or commercial solutions, but it's extremely important to realize the potential for free tools to cost more time and money because of initial implementation and ongoing maintenance.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SSERGIO123
50%
50%
SSERGIO123,
User Rank: Apprentice
6/1/2013 | 12:38:09 PM
re: Tech Insight: Free Versus Commercial Vulnerability Scanning Tools
With open source tools, what you don-t pay in dollars, you pay in man-hours.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9351
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
CVE-2020-9352
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
CVE-2020-9353
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
CVE-2020-9354
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
CVE-2020-9355
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.