Tools Information Assurance Tools Report Fifth Edition September 25, 2009 Vulnerability Assessment EX Distribution
Views 126 Downloads 26 File size 1MB
Tools
Information Assurance Tools Report
Fifth Edition September 25, 2009
Vulnerability Assessment
EX
Distribution Statement A S E R VICE
C E L L E NC E
I NF
N
I
N
O R MA T
IO
Approved for public release; distribution is unlimited.
Table of Contents SECTION 1
u
Introduction. . . . . . . . . . . . . 1
1.1 Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 Report Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
SECTION 2
u
I T Risk Management
Overview. . . . . . . . . . . . . . . 5
2.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2 Growth in IT Incidents and Vulnerabilities. . . . . . . . . . . . . 5 2.3 What is Risk Management?. . . . . . . . . . . . . . . . . . . . . . . 6
SECTION 3
u
A utomated Vulnerability
Assessment Tools. . . . . . . . 9
3.1 How Vulnerability Assessment Tools Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.2 Definition Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.3 How Vulnerability Assessment Tools Can Be Incorporated into a Security Plan . . . . . . . . . . . . . . . . 11
SECTION 4
u
Tool Collection . . . . . . . . . 13
4.1 Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.2 Tool Selection Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . 13
SECTION 5
u
V ulnerability
Analysis Tools. . . . . . . . . . 15
Acunetix® Web Vulnerability Scanner. . . . . . . . . . . . . . . . . 16 AppDetective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 ASG Information Assurance Application (IA2). . . . . . . . . . 18 BigFix® Security Configuration and Vulnerability Management Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Computer Oracle and Password (COPS). . . . . . . . . . . . . . . 20 CORE IMPACT™. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 DominoScan II. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 DumpSec v2.8.6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 eTrust® Policy Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Fortiscan Vulnerability Management. . . . . . . . . . . . . . . . . . 25 GFI LANguard®. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Gideon SecureFusion Vulnerability Management. . . . . . . 27 Host Based Security System (HBSS). . . . . . . . . . . . . . . . . . 28 Internet Scanner® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Lumension Scan™. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 MBSA 2.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
McAfee® Vulnerability Manager. . . . . . . . . . . . . . . . . . . . . . 32 Metasploit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 N-Stalker® Web Application Security Scanner. . . . . . . . . 34 nCircle® IP360. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Nessus® Vulnerability Scanner. . . . . . . . . . . . . . . . . . . . . . . 36 NetIQ® Secure Configuration Manager. . . . . . . . . . . . . . . . 37 Network Mapper (Nmap®). . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Nikto v2.03. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Orascan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Paros Proxy v3.2.0Alpha. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Proventia® Network Enterprise Scanner. . . . . . . . . . . . . . . 42 proVM Auditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 QualysGuard® Vulnerability Management. . . . . . . . . . . . . .44 Rational AppScan® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Retina Network Security Scanner. . . . . . . . . . . . . . . . . . . . 46 SAINT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Second Look™. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 SecureScout® NX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 SecureScout® Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Security Auditor’s Research Assistant (SARA) v7.9.1. . . . 51 Security Administrator’s Tool for Analyzing Networks (SATAN). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 SNScan v1.05. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 ThreatGuard® Secutor Magnus . . . . . . . . . . . . . . . . . . . . . . 54 Triumfant Resolution Manager® . . . . . . . . . . . . . . . . . . . . . . 55 Typhon III. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 WebInspect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 WebScarab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
SECTION 6
u
Related Resources . . . . . . 59
SECTION 7
u
R ecommended
SECTION 8
u
Resources . . . . . . . . . . . . . 61
Definitions. . . . . . . . . . . . . 63
SECTION 9 u Definitions of Acronyms and Key Terms . . . . . . . . . 65
IA Tools Report
i
SECTION 1
u
Introduction
The Information Assurance Technology Analysis Center (IATAC) provides the Department of Defense (DoD) with emerging scientific and technical information to support Information Assurance (IA) and defensive information operations. IATAC is one of 10 Information Analysis Centers (IAC) sponsored by DoD and managed by the Defense Technical Information Center (DTIC). IACs are formal organizations chartered by DoD to facilitate the use of existing scientific and technical information. Scientists, engineers, and information specialists staff each IAC. IACs establish and maintain comprehensive knowledge bases that include historical, technical, scientific, and other data and information, which are collected worldwide. Information collections span a wide range of unclassified, limited-distribution, and classified information appropriate to the requirements of sponsoring technical communities. IACs also collect, maintain, and develop analytical tools and techniques, including databases, models, and simulations. IATAC’s mission is to provide DoD with a central point of access for information on emerging technologies in IA and cyber security. These include technologies, tools, and associated techniques for detection of, protection against, reaction to, and recovery from information warfare and cyber attacks that target information, information-based processes, information systems, and information technology. Specific areas of study include IA and cyber security threats and vulnerabilities, scientific and technological research and development, and technologies, standards, methods, and tools through which IA and cyber security objectives are being or may be accomplished. As an IAC, IATAC’s basic services include collecting, analyzing, and disseminating IA scientific and technical information; responding to user inquiries; database operations; current awareness activities (e.g., the IAnewsletter, IA Digest, IA/Information Operations Events Scheduler, and IA Research Update); and publishing State-of-the-Art Reports, Critical Review and Technology Assessments reports, and Tools Reports.
The IA Tools Database is one of the knowledge bases maintained by IATAC. This knowledge base contains information on a wide range of intrusion detection, vulnerability analysis, firewall applications, and anti-malware tools. Information for the IA Tools Database is obtained via open-source methods, including direct interface with various agencies, organizations, and vendors. Periodically, IATAC publishes a Tools Report to summarize and elucidate a particular subset of the tools information in the IATAC IA Tools Database that addresses a specific IA or cyber security challenge. To ensure applicability to Warfighter and Research and Development Community (Program Executive Officer/Program Manager) needs, the topic areas for Tools Reports are solicited from the DoD IA community or based on IATAC’s careful ongoing observation and analysis of the IA and cyber security tools and technologies about which that community expresses a high level of interest.
IA Tools Report
1
Section 1 Introduction
Inquiries about IATAC capabilities, products, and services may be addressed to: Gene Tyler, Director 13200 Woodland Park Road, Suite 6031 Herndon, VA 20171 Phone: 703/984-0775 Fax: 703/984-0773 Email: [email protected] URL: http://iac.dtic.mil/iatac SIPRNET: https://iatac.dtic.mil
1.1
Purpose
exploitation of which would negatively affect the confidentiality, integrity, or availability of the system or its data. The type and level of detail of information provided among tools varies greatly. Although some can identify only a minimal set of vulnerabilities, others can perform a greater degree of analysis and provide detailed recommended countermeasures. The most recent development in vulnerability management is the ability for a tool to scan for vulnerabilities, analyze the impact of the vulnerability, determine a solution, identify the appropriate patches and security fixes, and finally, even deploy those patches in real time.
This report provides a brief background on information technology (IT) risk assessment and risk management concepts, a short primer on vulnerability assessment tools, and an index of vulnerability assessment tools contained in the IATAC IA Tools Database. Moreover, the report provides users with an understanding of why engaging in risk management activities such as conducting vulnerability and risk assessments is an important aspect of assuring your critical IT asset’s ability to effectively support your critical missions. Finally, this report provides a summary of the characteristics and capabilities of publicly available vulnerability assessment tools. IATAC does not endorse, recommend, or evaluate the effectiveness of any specific tools. The written descriptions are based solely on the suppliers’ claims and are intended only to highlight the capabilities and features of each tool. These descriptions do not reflect the opinion of IATAC. It is up to the readers of this document to assess which product, if any, might best meet their needs. Technical questions concerning this report may be addressed to [email protected].
The majority of the tools identified in the IA Tools Database are available on the Internet, and many are used by crackers in the first stage of an attack: vulnerability information gathering. Penetration tools, which perform destructive actions (i.e., denial of service attacks), are excluded from this category. Sniffers and Trojan Horse programs also are excluded. Although many network utilities (i.e., host, finger) are valuable in identifying vulnerabilities on a host, they are often an automated component of vulnerability analysis tools, and therefore are not individually described in the database. The database includes commercial products, individually developed tools, government-owned tools, and research tools. The database was built by gathering as much open-source data, analyzing that data, and summarizing information regarding the basic description, requirements, availability, and contact information for each vulnerability analysis tool collected. Generally, the commercially developed products are available. The government and academic tools, however, are reserved for specific projects and organizations.
1.2
1.3
Scope
Currently, the IATAC database contains descriptions of numerous tools that can be used to support vulnerability and risk assessment activities. Vulnerability analysis tools are programs that help automate the identification of vulnerabilities in a network or system. Vulnerabilities can be defined as weaknesses in a system’s security scheme,
2
IA Tools Report
Report Organization
This report is organized into eight sections. Section 1 provides an introduction to IATAC and the vulnerability analysis tools report. Section 2 summarizes the fundamentals of IT risk assessment and risk management. Section 3 provides background information on how automated vulnerability assessment tools work. Section 4 explains the
Section 1 Introduction
classification of tools highlighted in this report, how they were selected, and the schema of the IA Tools Database. Section 5 includes a listing of currently available host, network, Web-application, and database-application vulnerability scanners as well as tools able to manage vulnerabilities in all of the scanning areas as well as apply patches. Sections 6 and 7 provide recommended resources that are related to the topic of vulnerability assessment and definitions associated with this report. Finally, Sections 8 and 9 contain IA-related definitions and acronyms, respectively.
IA Tools Report
3
SECTION 2 2.1
u
IT Risk Management Overview
Background
Critical Infrastructures, both cyber and physical, “provide the foundation for and enable the functioning of every facet of American Society.” [2] In view of the heightened concerns about the wide variety of threats and hazards that our nation faces and the potential impact on the ability of our critical infrastructure to resiliently support overarching missions, the executive branch has issued a number of actions that assign responsibilities, direct planning, and enhance training to protect the nation’s critical infrastructure and respond to all types of threats. Homeland Security Presidential Directive 7 (HSPD-7), Critical Infrastructure Identification, Prioritization, and Protection (dated December 2003), and The National Strategy to Secure Cyberspace and The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets (both dated February 2003) specifically address the different threats and protection/assurance of the nation’s most vital resources by providing overarching policy guidance. These all focused on defensive strategies, and HSPD-7 did not address the protection of federal government information systems. The Comprehensive National Cybersecurity Initiative (CNCI), codified in the classified directive known as National Security Presidential Directive (NSPD)-54/HSPD-7, aims to unify defensive missions in cyber security with those of law enforcement, intelligence, counterintelligence, and military to defend against the full spectrum of threats to the nation’s critical infrastructure. In the constantly evolving world of IT, ensuring that our vital systems remain operational is of paramount importance and in line with the national strategy. To this end, Secretary Janet Napolitano of the Department of Homeland Security (DHS) has adopted “a policy of being prepared for all risks that can occur” [9] to assure the resiliency of our nation’s critical infrastructures. Cyber assets obviously make
up a significant portion of our nation’s critical assets and also provide support to even more critical assets by acting as a critical supporting infrastructure asset.
2.2
Growth in IT Incidents and Vulnerabilities
Automated attacks on information systems, and especially attacks against Internet-connected systems, continue to grow at such an exponential rate that they are viewed as almost commonplace. In fact, as of 2004, Carnegie Mellon’s Computer Emergency Response Team (CERT) stopped tracking the number of incidents reported per year because they believe it “provides little information with regard to assessing the scope and impact of attacks.” [1] The number of incidents reported from 1988 through the end of 2003 is listed in Figure 1. Carnegie Mellon’s CERT now tracks data on the number of vulnerabilities that are reported each year. Figure 2 lists the number of vulnerabilities that were reported from 1995 through the end of the third quarter of 2008. Along with the continually increasing number of incidents and the rising number of known vulnerabilities, the speed at which systems are attacked is also continuing to accelerate. Identifying vulnerabilities and addressing them in a timely manner is crucial to maintaining a secure environment and saves money in the long run. The vulnerability that the Conficker worm exploited was discovered in September 2008, and Microsoft released a batch in October 2008. The Conficker was not released until November 2008 and had multiple variants labeled Conficker A - Conficker E (up until the time of writing). Minimal estimates for Conficker infections is around three million, while more realistic estimates are around nine million to 15 million total infections. [11] The economic impact ranges from the hundreds of millions to billions of dollars to address the exploit. If more people had identified the vulnerability and applied patches when Microsoft first released them, Conficker would have been a non-issue.
IA Tools Report
5
Section 2 IT Risk Management Overview
2.3
What is Risk Management?
Many different risk assessment and management methodologies exist within the public and private domains. Therefore, to fully understand risk management, it is important to first define and understand “risk.” According to the Merriam Webster Dictionary, risk is defined as the “possibility of loss or injury.” Insurance companies often view risk as the “the degree or probability of such loss.” [3] Although there are numerous definitions of risk, all definitions are composed of three basic components— XXAssets (i.e., read it as “impact of loss”), XXThreats (i.e., read it as “all possible hazards”), XXVulnerabilities.
Figure 1
Number of Security Incidents report (1988–2003)
Figure 2
Number of Vulnerabilities Reported (1995–Third Quarter 2008)
6
IA Tools Report
Assets An asset in the general sense is firm property or information that is of significant value (known as a critical asset). In risk management, an asset refers to the amount of damage losing a firm asset will cause if something bad occurs. Given that most enterprise networks have hundreds or thousands of networked information systems, vulnerability analysis and assessment by manual methods are virtually impossible. In addition, it is impossible to completely ensure that all assets are secure. Therefore, it is imperative that information security managers and system owners focus on identifying only their critical assets—those assets without which the organization’s key missions would be significantly degraded or cease to function. This is a key part of the risk assessment process.
Section 2 IT Risk Management Overview
Threats Risks to critical assets can come from a variety of threats that can be considered possible hazards and usually fall into three categories— XXMan-made (intentional), XXNatural disaster, XXAccidental (unintentional) disruptions.
Therefore, an effective approach to threats will consider the full spectrum of threats and hazards, including natural disasters (e.g., floods, fires, hurricanes), domestic or international criminal activity, construction mishaps such as cutting fiber optic lines, and others types of incidents. Vulnerabilities Vulnerabilities are often defined as openings or pathways that a given threat can exploit to do harm to a critical asset. With the three main components of risk in mind, a picture of risk can be formulated. Risk is viewed as the area where all three circles overlap, as illustrated in Figure 3. Articulated as a mathematical formula, risk looks like the following— Risk = Threat x Vulnerability x Cost of Asset
Figure 3
Components of Risk Diagram
Because our world is constantly changing, risk management is an ongoing activity. For example, technology is continually evolving, especially in the IT world, which introduces new vulnerabilities. Threats continue to evolve as well and sometimes even what is designated as a critical asset changes because the needs and priorities of an organization change. Risk management can save resources, time, and even lives.
We can now more fully define risk as being a function of the likelihood that a specific hazard/threat will exploit a given vulnerability and that the resulting impact of loss of the critical asset will cause significant degradation or even mission failure of the organization. With a firm understanding of risk, risk management can now be defined. Typically, risk management is a process for identifying and prioritizing the cost of assets, threats, and vulnerabilities, then making rational decisions regarding the expenditure of resources and the implementation of countermeasures to reduce risk of loss associated with the exploitation of critical assets. Figure 4 illustrates the risk assessment and management processes.
IA Tools Report
7
Section 2 IT Risk Management Overview
Figure 4
Risk Assessment and Management Process
From this point forward, this report focuses on the vulnerability portion of the risk equation.
8
IA Tools Report
SECTION 3 u Automated Vulnerability Assessment Tools 3.1 How Vulnerability Assessment Tools Work Vulnerability assessment tools, in general, work by attempting to automate the first three steps often employed by hackers: 1) perform a footprint analysis, 2) enumerate targets, 3) test/obtain access through user privilege manipulation (see Table 1). The vulnerability assessment tools evaluate networkattached devices (servers, desktops, switches, routers, etc.) for vulnerable or potentially vulnerable situations. Often the vulnerabilities that are identified by these tools are programming flaws; however, some tools provide enough data that an analyst can uncover design, implementation, and configuration vulnerabilities. In the case of network-based tools, a network footprint analysis is performed by scanning for accessible hosts. The tools enumerate available network services (e.g., file transfer protocol, hypertext transfer protocol) on each host as accessible hosts are identified. As part of the enumeration services, scanners attempt to identify vulnerabilities through banner grabbing, port status, protocol compliance, service behavior, or exploitation. These terms are defined in Section 3.2 of this document. Some advantages to vulnerability assessment tools are that they— XXMore clearly define an asset, XXDiscover technological and network
vulnerabilities, XXProvide multi-perspective view points, XXHelp properly scope the analysis, XXReference public catalogs, XXHighlight design, implementation, and
configuration vulnerabilities.
When a scanner finds a host with open ports, it checks those ports for vulnerabilities to known attacks. Most scanners include exploit tests that verify whether a given service or application is vulnerable. Most scanning tools perform tests based on their database of vulnerabilities. Just as anti-virus products must be constantly updated with new signatures, assessment tools must be continually updated with revisions to their vulnerability databases. If a vulnerability is not included in a tool’s database, it cannot be detected through scanning.
3.2
Definition Box
Hacker’s Methodology – A common approach to system exploitation— 1.
Perform a footprint analysis
2.
Enumerate targets
3.
Test/obtain access through user privilege manipulation
4.
Escalate privileges
5.
Gather additional passwords and secrets
6.
Install backdoors
7.
Leverage the compromised system
Table 1 Hacker’s Methodology
Banner Grabbing This term refers to grabbing information that a network service broadcasts about itself. For example: Opening a telnet session to a mail server might yield the following message: 220 mailhost.company.com ESMTP service (Netscape Messaging Server 4.15 Patch 7 [built September 11, 2001]). This example banner reveals the specific type of mail server that is running and its patch level. Similarly, a telnet connection to a Web server might yield information such as the following—
IA Tools Report
9
Section 3 Automated Vulnerability Assessment Tools
HTTP/1.1 200 OK Date: Wed, 02 Jul 2003 22:03:21 GMT Server: Apache/1.3.27 (Win32) PHP/4.2.2 X-Powered-By: PHP/4.2.1 Connection: close Content-Type: text/html In this case, the banner reveals the time on the Web server, the Web server type and version, an accessible scripting language (hypertext preprocessor [PHP]), and the operating system on which it is running.
Port Status This term refers to checking to determine which network ports are open to allow connections to applications. For network services that use Transmission Control Protocol (TCP), this is done by sending a TCP connect () request to ports on the remote system. If the queried port is listening, the connect () fails and the port is considered closed. There are several other methods of checking port status such as TCP synchronize [Synchronize] scans, TCP finish [Final] scans, and so forth, that are beyond the scope of this report.
Protocol Compliance This term refers to the way an application or operating system adheres to a standard procedure for data processing or transmission. One of the most common ways of using protocol compliance to identify remote systems is to interrogate the TCP stack. By monitoring the header information of outbound packets, it is possible to make accurate guesses regarding the remote operating system. By examining the Time To Live on the packet, its Window Size, the Don’t Fragment bit, and the Type of Service, it is possible in many cases to determine exactly which implementation of the TCP stack is on the remote system. (See Figure 5.) Determining the TCP stack narrows the number of possible operating systems, sometimes identifying the exact operating system.
10
IA Tools Report
Figure 5
TCP Connection (3-way Handshake)
Service Behavior This term refers to the way a network service responds to remote requests. Different implementations of a given type of service may result in slightly different behavior from remote requests. For example, a “help” command response from a sendmail email server is different from the result from a postfix email server.
Exploitation Computer network exploitation (CNE) refers to the “enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks.” [14] CNE can be accomplished through a variety of means such as packet sniffing, hijacking TCP connections, port scanning, and address resolution protocol (ARP) spoofing. For example: ARP spoofing is a technique used to exploit ethernet networks. This type of spoofing can be used in two different ways— XXSending fake, or spoofed, ARP messages to an
ethernet local area network, XXAs part of a “man-in-the-middle attack.” The first means of exploitation is accomplished by sending frames that contain false media access control addresses, thus confusing network devices, such as network switches. The resulting effect is that the frames that are intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack). The second means of exploitation is accomplished by forwarding all traffic through a host with the use of ARP spoofing and then analyzing the frames for passwords and other information.
Section 3 Automated Vulnerability Assessment Tools
3.3 How Vulnerability Assessment Tools Can Be Incorporated into a Security Plan Security plans are a critical aspect of a firm or organization’s secure operations. Security plans, or more precisely, system security plans, are specific guidelines and procedures to accomplish the secure setup, operation, and maintenance of an information system. To effectively implement a system security plan for a large infrastructure, it is necessary to leverage security technology to automate the important and otherwise time-consuming aspects of the security operations. Tools for scanning are invaluable for gaining a snapshot in time of the vulnerabilities that exist on a given network at a given point in time. Most scanning tools include a reporting option or module that explains the vulnerabilities detected and provides a ranking of the criticality of each problem (e.g., high, medium, low). To enhance the security of your systems, assessments should be performed on a routine basis. This will provide the users and administrators assurance that the system is free from malicious code. Just as thousands of vulnerabilities are reported each year, systems must be scanned at regular and frequent intervals to ensure that they are not susceptible to attack. In addition, when new hosts are connected to the system, networks must be checked for the risks that these new systems might bring to the overall network. Checks must also be conducted when newly discovered weaknesses in existing applications and operating systems are announced. After all, “a fundamental tenet of security is that a chain is only as strong as its weakest link and a wall is only as strong as its weakest point. Smart attackers are going to seek out that weak point and concentrate their attention there.” [13] A single host that is vulnerable to attack puts the entire network at risk. The identification of vulnerabilities on a system is only half the challenge. The other half of the challenge is fixing the vulnerabilities that are found. Identified vulnerabilities can be corrected via patches, updating, or even reconfiguring the system. Finding the time and money to correct the vulnerability can
be a challenge. The system and network administrators must work with management to share the information that was found during the assessment and weigh the costs of correcting the vulnerability against the benefits. There are tools that can automatically patch a large number of vulnerabilities and systems, but are often very expensive. Managers and administrators need to understand their environment and choose a solution that fits. A manager can choose not to spend the money on a more robust patch management solution, but must realize that man-power must replace what he or she has chosen not to purchase in an automated solution. Unfortunately, scanning tools suffer from false positive problems and false negative problems in vulnerability identification that are similar to antivirus products. A false positive means that a tool finds a vulnerability that does not exist. For example, a particular scanner may report that a network server is a Windows® 2000 system that is vulnerable to a known Microsoft Internet Information Server (IIS) Web server bug, when in fact, the server is a Linux system running the Apache Web server. A false negative means that a tool fails to find an existing vulnerability. An example of this behavior could be when a particular tool tests a network host and fails to discover that it is remotely exploitable through an anonymous login. Ultimately, common sense must be applied to all findings to ensure that meaningful vulnerabilities are corrected; however, time should not be wasted on erroneous results. Finding the right balance can sometimes be difficult. One potential strategy for reducing the number of false positives and false negatives is to run two different scanners against a given network and compare the results. In most cases, the results of both tools will complement each other so that no weaknesses are overlooked. In all cases, it is necessary to have a knowledgeable and responsible security professional who can effectively leverage security tools to manage the security operations of an organization.
IA Tools Report
11
SECTION 4 4.1
u
Tool Collection
Classification
Existing community relationships were leveraged during the process of data gathering on the tools. Collection activities included Internet searches to identify additional corporations, professional organizations, and universities with involvement in vulnerability analysis. The tools described in the IATAC IA Tools Database can be categorized within one or more of the topical areas listed below— XXHost scanning—Host-scanning tools scan critical
system files, active processes, file shares, and the configuration and patch level of a particular system. The results produced from this type of tool are usually very detailed because they run on the host system at the same permission level as the user conducting the scan. Although host-based tools provide very detailed results, sometimes the volume of data that is produced from these scans (i.e., when conducted across several hosts) can be difficult to aggregate and correlate to produce results [Imagine an administrator trying to physically visit and test 1,000 workstations.]). XXNetwork scanning—Network-scanning tools scan available network services for vulnerabilities through banner grabbing, port status, protocol compliance, service behavior, or exploitation. XXWeb application scanning—Web applicationscanning tools designed specifically for the Web are a specialized form of network or host scanner that interrogates Web servers or scan Web source code for known vulnerabilities (e.g., DominoScan). These tools often search for the presence of default accounts, directory traversal attacks, form validation errors, insecure cgi-bin files, demonstration Web pages, and other vulnerabilities. XXDatabase application scanning—Database application-scanning tools that are specifically designed for databases are a unique form of
network scanner. These tools interrogate database servers for known vulnerabilities (e.g., AppDetective). XXVulnerability and patch management—The category of Vulnerability and Patch Management has tools that wrap up many aspects of vulnerability management. These tools address vulnerabilities, policy compliance, patch management, configuration management and reporting. These are meant to be all-in-one solutions that make managing very large networks and domains efficient and require as little manpower as possible.
4.2
Tool Selection Criteria
The selected tools meet the following three criteria— XXDefinition—These tools satisfy the objective,
approach, and methodology of a vulnerability analysis tool based on the definition of vulnerability. XXSpecificity to vulnerability analysis—The primary function of these tools is vulnerability analysis or vulnerability management. These tools may also be used during the first stages of a penetration attack as a way of identifying the target system’s weaknesses and helping to fine-tune the attack. Penetration test tools, whose primary purpose is to exploit identified vulnerabilities and cause damage or destruction to the target system, are not included. XXCurrent availability—The tools that are included in this report are currently available from the Government, academia, or commercial sources, or as freeware on the Internet. Some tools that were included in previous versions of this report are no longer available or have been renamed. All tools from previous releases of this report that are no longer available have been removed.
IA Tools Report
13
SECTION 5
u
Vulnerability Analysis Tools
Section 5 summarizes pertinent information, providing users a brief description of available vulnerability analysis tools and vendor contact information. Again, IATAC does not endorse, recommend, or evaluate the effectiveness of these tools. The written descriptions are drawn from vendors’ information and are intended only to highlight the capabilities or features of each product. It is up to the reader to assess which product, if any, may best suit his or her security needs. Trademark Disclaimer The authors have made a best effort to indicate registered trademarks where they apply, based on searches in the U.S. Patent and Trademark Office Trademark Electronic Search System for “live” registered trademarks for all company, product, and technology names. There is a possibility, however, that due to the large quantity of such names in this report, some trademarks may have been overlooked in our research. We apologize in advance for any trademarks that may have been inadvertently excluded, and invite the trademark registrants to contact the IATAC to inform us of their trademark status so we can appropriately indicate these trademarks in our next revision. Note that we have not indicated non-registered and non-U.S. registered trademarks due to the inability to research these effectively.
Type
The type of tool, or category in which this tool belongs, e.g., “Web Application Scanning”
Operating System
The operating system(s) on which the tool runs. If the tool is an appliance, this field will contain a “not applicable” symbol (N/A) because the operating system is embedded in the tool.
Hardware
The third-party hardware platform(s) on which the tool runs, plus any significant additional hardware requirements, such as minimum amount of random access memory or free disk space. If the tool is an appliance, this field will contain a “not applicable” symbol (N/A) because the hardware is incorporated into the tool.
License
The type of license under which the tool is distributed, e.g., Commercial, Freeware, GNU Public License
NIAP Validated
An indication of whether the product has received a validation by the National Information Assurance Partnership (NIAP) under the Common Criteria, Federal Information Processing Standard 140, or another certification standard for which NIAP performs validations. If no such validation has been performed, this field will be blank.
Common Criteria
If the tool has received a Common Criteria certification, the Evaluation Assurance Level and date of that certification. If no such certification has been performed, this field will be blank.
Developer
The individual or organization responsible for creating and/or distributing the tool
URL
The Uniform Resource Locator (URL) of the Web page from which the tool can be obtained (downloaded or purchased), or in some cases, the Web page at which the supplier can be notified with a request to obtain the tool
Legend For Tables For each tool described in this section, a table is provided that provides certain information about that tool. This information includes—
IATAC does not endorse any of the following product evaluations. IA Tools Report
15
Vulnerability Analysis Tools
Acunetix® Web Vulnerability Scanner Abstract Acunetix’s engineers have focused on Web security since 1997 and have developed tools for Web site analysis and vulnerability detection.
Acunetix® Web Vulnerability Scanner Type
Web Application Scanning
Operating System
Windows XP, Vista, 2000, server 2003
Hardware Requirements
1 gigabyte (GB) random access memory (RAM), 100 megabyte (MB) disk space
XXAcuSensor Technology;
License
Commercial (Free Trial Copy)
XXAn automatic Javascript analyzer allowing for
NIAP Validated
Features
security testing of Ajax and Web 2.0 applications; XXStructured Query Language (SQL) injection and cross-site scripting (XSS) `testing; XXVisual macro recorder allows for testing Web forms and password protected areas; XXReporting facilities including VISA Payment Card Industry (PCI) compliance reports; XXMulti-threaded scanner crawls hundreds of thousands of pages; XXCrawler detects Web server type and application language; XXAcunetix crawls and analyzes Web sites, including flash content, SOAP, and AJAX; XXPort scans a Web server and runs security checks against network services running on the server.
16
IA Tools Report
Common Criteria Rating Developer
Acunetix
Availability
http://www.acunetix.com/ vulnerability-scanner/
Vulnerability Analysis Tools
AppDetective Abstract A network-based, vulnerability assessment scanner, AppDetective discovers database applications within an infrastructure and assesses their security strength. In contrast to piecemeal solutions, AppDetective modules allow enterprises to assess two primary application tiers—application/middleware, and back-end databases—through a single interface. Backed by a proven security methodology and extensive knowledge of application level vulnerabilities, AppDetective locates, examines, reports, and fixes security holes and misconfigurations. As a result, enterprises can proactively harden their database applications while at the same time improving and simplifying routine audits.
AppDetective Type
Database Scanning
Operating System
Windows XP, Server 2003,
Hardware Requirements
750 Megahertz (MHz) central processing unit (CPU), 512MB RAM, 300 MB Disk Space
License
Commercial
NIAP Validated Common Criteria Rating Developer
Application Security, Inc.
Availability
http://www.appsecinc.com/products/ appdetective/
Features XXAutomated database discovery and inventory, XXUser rghts management, XXJob scheduling, XXDatabase-specific vulnerability assessment, XXCompliance mapping, XX “Outside-in” and “inside-in” vulnerability testing, XXIndustry leading database vulnerability
knowledge base, XXAutomated information gathering and analysis, XXScalable database scanning, XXAdvanced, customizable reporting.
IA Tools Report
17
Vulnerability Analysis Tools
ASG Information Assurance Application (IA2) Abstract ASG’s Information Assurance Application (IA²) automates the reporting requirements of DISA. IA² automatically parses, stores, tracks, and reports on the Defense Information Systems Agency’s (DISA) Security Readiness Review, third party vulnerability scanner results, and DISA’s Security Checklists.
ASG Information Assurance Application (IA2) Type
Vulnerability and Patch Management
Operating System Hardware Requirements License
Commercial
NIAP Validated
IA² has the ability to synchronize the local database with the third party vulnerability scanners as well as the DISA Security Readiness Review scripts. All of the data from each source is combined and cross referenced giving a complete view of your environment. IA² also incorporates a robust reporting solution allowing for tracking, trending and ad hoc reporting.
Features XXFederal Information Security Management Act
of 2002 (FISMA) automation, XXVulnerability gap analysis, XXScanner cross-referencing, XXInformation drilldown, XXAutomated security checklist, XXAccepts third party scan, XXAdvanced reporting, XXTrending, XXAutomatically updates signatures, XXAutomatic reporting, XXAd Hoc reporting, XXSecure communication, XXSecure data storage, XXDistributed architecture, XXWindows authentication, XXRole-based security.
Supported Scanners XXFoundstone, XXHarris STAT, XXeEye, XXNessus, XXnCircle.
18
IA Tools Report
Common Criteria Rating Developer
Atlantic Systems Group, Inc. (ASG)
Availability
http://www.asg.cc/IA2/
Vulnerability Analysis Tools
BigFix® Security Configuration and Vulnerability Management Suite Abstract
XXCreate flexible, on-demand ad-hoc custom
Offered as part of the BigFix Security Configuration and Vulnerability Management suite, BigFix Vulnerability Management reduces risk across the enterprise for all assets, whether they are fixed or mobile, desktops, laptops, or servers. Through a repository of vulnerability assessment policies, BigFix provides organizations with the ability to assess their managed systems against Open Vulnerability Assessment Language (OVAL)-based vulnerability definitions. Each managed endpoint quietly and continuously evaluates the state of the endpoint, and reports on any non-compliant policy in real-time by leveraging the power of BigFix Unified Management platform. Additionally, the BigFix high performance architecture enables the industry’s fastest time to remediation and closely bridges assessment with remediatiation by applying necessary patch and configuration policies.
queries and reports; XXSecurity Content Automation Protocol (SCAP) validated. BigFix Security Configuration and Vulnerability Management Suite Type
Vulnerability and Patch Management
Operating System
Windows Server 2000/2003/2008
Hardware Requirements License
Commercial
NIAP Validated Common Criteria Rating Developer
BigFix
Availability
http://www.bigfix.com/content/ vulnerability-management
Features XXAssess managed endpoints against known
vulnerabilities using pre-defined, out-of-the-box OVAL-based policy definitions; XXIdentify and eliminate known vulnerabilities across hundreds of thousands of endpoints using automated policy enforcement or manual deployment; XXContinuously enforce policies on or off the network; XXMap all vulnerabilities to industry standards to provide Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System references and links to the National Vulnerability Database (NVD); XXIntegrate with BigFix Patch Management and Security Configuration Management for comprehensive assessment and remediation of identified vulnerabilities;
IA Tools Report
19
Vulnerability Analysis Tools
Computer Oracle and Password (COPS) Abstract Computer Oracle and Password (COPS) is a security toolkit that examines a system for a number of known weaknesses, and it alerts the system administrator to these weaknesses. In some cases, it can automatically correct these problems.
Computer Oracle and Password (COPS) Type
Database Scanning
Operating System
Unix
Hardware Requirements License
Freeware
NIAP Validated Common Criteria Rating
20
IA Tools Report
Developer
Dan Farmer
Availability
http://ftp.cerias.purdue.edu/pub/tools/unix/ scanners
Vulnerability Analysis Tools
CORE IMPACT™ Abstract
XXDemonstrate the consequences of a successful
CORE IMPACT Pro is a comprehensive software solution for assessing the security of network systems, endpoint systems, email users, and Web applications. Backed by Core Security’s ongoing vulnerability research and threat expertise, IMPACT Pro allows you to get in-depth visibility of your organization’s network and application vulnerabilities.
attack by replicating local attacks against backend resources; XXGet actionable data necessary for focusing development resources on remediating proven security issues.
Features XXGather system information via Network Discovery,
Port Scanner, and operating system (OS) and Service Identification modules; XXIdentify critical OS, service, and application vulnerabilities with a constantly updated library of Commercial-Grade Exploits; XXDemonstrate the consequences of a breach by replicating the steps an attacker would take, including opening command shells, browsing file systems, and seeking administrative privileges; XXEmulate multistaged threats that leverage compromised systems as beachheads to launch internal attacks against backend network resources; XXRun tests without installing modules on compromised systems, or altering them in any way; XXGenerate reports containing actionable data for prioritizing remediation, demonstrating security improvements, and complying with regulations; XXCORE IMPACT Pro enables you to test Web applications against XSS (URL-based), SQL Injection, Blind SQL Injection, and Remote File Inclusion for PHP applications; XXIdentify weaknesses in Web applications, Web servers, and associated databases— with no false positives; XXDynamically generate exploits that can compromise security weaknesses in custom applications;
CORE IMPACT Type
Network Scanning
Operating System
Windows XP, Windows Vista
Hardware Requirements
3 Gigahertz (GHz) Pentium 4+ CPU, 1 GB+ RAM, 1 GB+ Disk space, 1024x768+ resolution
License
Commercial
NIAP Validated Common Criteria Rating Developer
Core Security Technologies
Availability
http://www.coresecurity.com/content/ core-impact-overview
IA Tools Report
21
Vulnerability Analysis Tools
DominoScan II Abstract
XXUnique Spidering capability offering
Specially developed to present the attacker’s eye view of the security issues surrounding Lotus Domino Web servers and bespoke Notes applications. Running on Microsoft Windows, DominoScan II (DSII) has the capability to audit Lotus Domino Web Servers running on any operating system. Using an NGSSoftware–developed technique (Database Structure Enumeration) allows DSII to interrogate every view, form, and agent within a database, even if access control list (ACL) access protection has been invoked. It will perform an exhaustive range of tests on each document, auditing over one hundred sensitive and default databases and subjecting all documents to a vigorous set of vulnerability assessment checks.
intelligent scanning; XXAbility to scan as an authenticated user; XXAbility to perform QuickHit audit; XXVulnerability link to CVE.
Features XXAttempts to gain access to over 100 sensitive/
default databases; XXWeb Administrator template access using ReplicaID; XXWeb Administrator template access using buffer truncation; XX ‘cache.dsk’ access using buffer truncation; XXDirectory traversal; XXDatabase browsing; XXAudits bespoke databases; XXUnique database structure enumeration technology; XXFinds hidden and visible views; XXDefault Navigator Access; XXAttempts to bypass default Navigator protection; XXEvaluates database design; XXChecks every document for Edit access; XXAttempts a forced search; XXReadEntries & ReadViewEntries access; XXReporting in HyperText Markup Language (HTML) (Static/Dynamic), eXtensible Markup Language (XML), Text file, rich text format, and Open Database Connectivity (Microsoft) database; XXFast, easy to use, and highly configurable; XXCan perform focused audits;
22
IA Tools Report
DominoScan II Type
Web Application Scanning
Operating System
Windows 2003, 200, XP, NT 4.0
Hardware Requirements
500 MHz Pentium III, 512 MB RAM, 20 MB Disk Space
License
Commercial
NIAP Validated Common Criteria Rating Developer
Next Generation Security Software
Availability
http://www.nextgenss.com/products/ internet-security/dominoscan.php
Vulnerability Analysis Tools
DumpSec v2.8.6 Abstract SomarSoft’s DumpSec is a security auditing program for Microsoft Windows NT/XP/200x. It dumps the permissions (Discretionary Access Control Lists and audit settings (System Access Control Lists) for the file system, registry, and printers and shares in a concise, readable format, so that holes in system security are readily apparent. DumpSec also dumps user, group, and replication information.
DumpSec v2.8.6 Type
Host Scanning
Operating System
Windows NT/XP/200x
Hardware Requirements License
Freeware
NIAP Validated Common Criteria Rating Developer
SomarSoft
Availability
www.somarsoft.com
IA Tools Report
23
Vulnerability Analysis Tools
eTrust® Policy Compliance Abstract eTrust Policy Compliance provides enterprises with the tools and information necessary to eliminate one of the most overlooked threats to networks misconfigured assets. eTrust Policy Compliance helps organizations identify and compare the security configurations of their critical business assets to an established baseline and provides the configuration remediation and measures progress through risk-based reporting. eTrust Policy Compliance provides a comprehensive policy and configuration assessment process to mitigate risk and ensure compliance with security policies, government regulations, and industry standards.
Features XXIdentify misconfigured IT assets, XXCreate secure configuration baselines and
monitor deviations, XXProvide configuration remediation and measure
progress through risk-based reporting, XXOffer extensible tools and open interfaces for
custom security configuration management.
24
IA Tools Report
eTrust Policy Compliance Type
Network Scanning
Operating System
Linux, Windows, Unix
Hardware Requirements License
Commercial
NIAP Validated Common Criteria Rating Developer
Computer Associates
Availability
http://www3.ca.com/solutions/Product. aspx?ID=165
Vulnerability Analysis Tools
Fortiscan Vulnerability Management Abstract
XXDelivers patch management with ready-to-
FortiScan provides a centrally managed, enterprisescale solution that enables organizations to close IT compliance gaps, and implement continuous monitoring in order to audit, evaluate, and comply with internal, industry, and regulatory policies for IT controls and security at the OS level. Organizations realize quick time-to-value with easy to install, intuitive, high value standard compliance policies (National Institute of Standards and Technology [NIST] SCAP, Federal Desktop Core Configuration (FDCC), PCI data security standard (DSS), SarbanesOxley Act (SOX), Gramm-Leach Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA) ready out of the box with regular updates by FortiGuard to ensure OS regulatory compliance requirements are met. FortiScan dedicated hardware appliances easily plug into the network for fast deployment. FortiScan integrates endpoint vulnerability management, industry and federal compliance, patch management, remediation, auditing, and reporting into a single, unified appliance for immediate results. A centralized administration console facilitates management of multiple FortiScan appliances across the enterprise.
deploy remediation and enforcement actions— allowing network managers to change configurations and potentially mitigate weak settings, including disabling an application or denying a network request; XXReduced errors, repeatable processes, and predictable results delivered with extensive libraries of templates that enable IT staff to leverage industry standard best practices that produce measurable results. Fortiscan Vulnerability Management Type
Vulnerability and Patch Management
Operating System
N/A
Hardware Requirements
Vendor Supplied Hardware
License
Commercial
NIAP Validated Common Criteria Rating Developer
Fortinet
Availability
http://www.fortinet.com/products/ fortiscan/
Features XXIdentifies security vulnerabilities and finds
compliance exposures on hosts, servers, and throughout the network transparently to end users; XXNetwork discovery, asset prioritization, and profile-based scanning; XXIndustry, regulatory and best practices, including templates for ISO 17799, SOX, HIPAA, GLBA, NIST, SCAP, and FISMA; XXAudits and monitors across heterogeneous systems and provides industry standard benchmarks for information security compliance audits for operating systems; XXAids compliance for regulatory mandates with 360-degree reporting and analysis, and views;
IA Tools Report
25
Vulnerability Analysis Tools
GFI LANguard® Abstract Scans a network and ports to detect, assess, and correct security vulnerabilities with minimal administrative effort. GFI LANguard performs network scans using vulnerability check databases based on OVAL and SysAdmin, Audit, Network, Security (SANS) Top 20, providing over 15,000 vulnerability checks. XXPatch Management—GFI LANguard has built in
patch management features that can automatically download missing Microsoft security updates, as well as automatically deploy the missing Microsoft patches or service packs over the network at the end of scheduled scans. XXHardware and Software Management—GFI LANguard’s network auditing feature retrieves hardware information on memory, processors, display adapters, storage devices, motherboard details, printers, and ports in use and monitors any changes that may occur. GFI LANguard can also monitor a software baseline, informing administrators when a new program is installed and can automatically uninstall unauthorized applications.
26
IA Tools Report
GFI LANguard Type
Vulnerability and Patch Management
Operating System
Windows, Mac OS, Linux
Hardware Requirements
1 GHz CPU, 512 MB RAM, 500 MB Disk space (Minimum. Scanning more hosts requires higher specs. See documentation for details)
License
Commercial—Free version available
NIAP Validated Common Criteria Rating Developer
GFI
Availability
http://www.gfi.com/lannetscan
Vulnerability Analysis Tools
Gideon SecureFusion Vulnerability Management Abstract
XXBandwidth throttling,
Part of the SecureFusion suite, Vulnerability Management scans for thousands of known vulnerabilities in operating systems, infrastructure, network applications, and databases. The vulnerability signatures are updated on a daily basis and provide checks for the most recent security vulnerabilities.
XXMassive scalability,
The SecureFusion Portal provides a complete view of assets, vulnerabilities, configuration details, and policy compliance metrics. Instead of outdated spreadsheets and cumbersome tools that cannot correlate data, the SecureFusion Portal helps you intelligently analyze your IT environment regarding unmanaged assets, vulnerabilities, improper settings, and the reasons behind failed compliance checks.
XXDynamic report building, XXAutomated scheduling.
Gideon SecureFusion Vulnerability Management Type
Vulnerability and Patch Management
Operating System Hardware Requirements License
Commercial
NIAP Validated Common Criteria Rating Developer
Gideon Technologies
Availability
http://www.thegideongroup.com/ vulnerability-management.asp
SecureFusion is built on the additive intelligence of four core capabilities— XXAsset discovery—performs continuous audits of
managed and unmanaged assets with no impact to the network; XXVulnerability management—conducts ongoing, active vulnerability detection and reporting for operating systems, infrastructure, network applications, and databases; XXConfiguration management—continuously compares system configuration and compliance with IT security standards; XXPolicy management—initiates, reviews, publishes, and maintains security policies. Vulnerability Management offers— XXEnd-to-end automation and workflow, XXSystem patch reporting, XXResults filtering, XXAutomated signature updates, XXTarget blacklisting,
IA Tools Report
27
Vulnerability Analysis Tools
Host Based Security System (HBSS) Abstract
XXHost Intrusion Prevention System (HIPS);
The Host Based Security System (HBSS) baseline is a flexible, commercial off-the-shelf (COTS)-based application. It monitors, detects, and counters against known cyber threats to the DoD Enterprise. Under the sponsorship of the Enterprise-wide Information Assurance and Computer Network Defense Solutions Steering Group (ESSG), the HBSS solution will be attached to each host (server, desktop, and laptop) in DoD. The system will be managed by local administrators and configured to address known exploit traffic using an Intrusion Prevention System (IPS) and host firewall. DISA Information Assurance/ Network Operations Program Executive Office (PEO-IAN) is providing the program management and supporting the deployment of this solution.
XXEnforces security policy;
Scope The scope of the HBSS deployment is worldwide. This vast effort requires a large support infrastructure to be in place. DISA PEO-IAN has instituted support services to enable the comprehensive implementation of the HBSS system to all the combatant commands, services, agencies, and field activities.
Features XXePolicy Orchestrator (ePO) management suite; XXCentral security manager; XXEnables the installation, management, and
configuration of the HBSS components; XXView reports to help monitor deployments,
vulnerabilities, and protection levels; XXMcAfee Agent (MA); XXProvides local management of all HBSS products
collocated on the host; XXRuns silently in the background to gather information and events from managed systems; XXSends collected data to the ePO server; XXManages modules and software updates of other HBSS products on the host system; XXEnforces policies on the host machines;
28
IA Tools Report
XXAdds a robust layer of protection to the MA
end-point asset that includes known and unknown buffer overflow exploit protection, prevention of malicious code installation/ execution, and identification of activities that deviate from DoD or organizational policy; XXAsset Information (formerly referred to as the INFOCON); XXGenerates snapshots of asset configurations to facilitate detection of changes made to authorized baselines; XXRogue System Detection (RSD); XXDetects all systems connecting to the network; XXIdentifies unmanaged (or Rogue) systems present on the network; XXPolicy Auditor (PA); XXScans remote computers to determine compliance with defined policies; XXIdentifies host vulnerabilities on the network. Host Based Security System (HBSS) Type
Vulnerability and Patch Management
Operating System
Windows
Hardware Requirements License
Commercial/Government
NIAP Validated Common Criteria Rating Developer
DISA–DoD
Availability
http://www.disa.mil/news/pressresources/ factsheets/hbss.html
Vulnerability Analysis Tools
Internet Scanner® Abstract The Internet Scanner vulnerability assessment application minimizes risk by identifying the security holes or vulnerabilities in the network so the user can protect the network before an attack occurs. Internet Scanner can identify more than 1,300 types of networked devices on a network, including desktops, servers, routers/switches, firewalls, security devices, and application routers. Internet Scanner analyzes the configurations, patch levels, operating systems, and installed applications to find vulnerabilities that could be exploited by hackers trying to gain unauthorized access.
Features
Internet Scanner Type
Network Scanning
Operating System
Windows 2000 Professional/SP4, Windows Server 2003 Standard SP1, Windows XP Professional SP1a
Hardware Requirements
1.2 GHz CPU, 512 MB RAM, 650 MB disk space (minimum)
License
Commercial
NIAP Validated Common Criteria Rating Developer
Internet Security Systems–Owned by IBM
Availability
http://www-935.ibm.com/services/us/index. wss/offering/iss/a1027208
XXUnlimited asset identification, XXDynamic check assignment, XXCommon policy editor, XXReal-time display, XXVulnerability catalog, XXComprehensive reporting, XXCentralized vulnerability management features, XXEnterprise-class scalability, XXRemote scanning, XXEnterprise reporting, XXAutomatic security content updates, XXCommand scheduler, XXAsset management, XXReal-time display, XXUser administration.
IA Tools Report
29
Vulnerability Analysis Tools
Lumension Scan™ Abstract Lumension Scan, a component of Lumension Vulnerability Management, is a complete stand-alone, network-based scanning solution that performs a comprehensive external scan of all devices connected to your network, both managed and unmanaged. Once assets are identified, the powerful, yet easy-touse Lumension Scan detects weaknesses on these devices before they can be exploited.
Lumension Scan Type
Network Scanning
Operating System
Windows XP Pro SP2+, Windows Server 2003 SP1+, Windows Server 2003 R2+
Hardware Requirements
2 GHz CPU, 1 GB RAM, 20 GB disk space, 1024x768 Monitor Resolution
License
Commercial
NIAP Validated
Features
Common Criteria Rating
XXRapid and complete asset discovery and inventory
Developer
Lumension
Availability
http://www.lumension.com/vulnerabilitymanagement/software-vulnerabilityassessment.jsp?rpLangCode=1&rpMenu Id=150835
of all devices on the network, XXThorough and accurate network-based software and configuration vulnerability assessment, XXRisk-based vulnerability prioritization for identified threats, XXContinuously updated vulnerability database for orderly remediation, XXComprehensive management and audit reporting.
30
IA Tools Report
Vulnerability Analysis Tools
MBSA 2.1 Abstract Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool that helps small and medium businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems. Built on the Windows Update Agent and Microsoft Update infrastructure, MBSA ensures consistency with other Microsoft management products, including Microsoft Update (MU), Windows Server Update Services (WSUS), Systems Management Server (SMS), System Center Configuration Manager (SCCM) 2007, and Small Business Server.
MBSA 2.1 Type
Host Scanning
Operating System
Windows XP, Vista, Windows Server 2003, 2008
Hardware Requirements
x86, IA64, x64
License
Free
NIAP Validated Common Criteria Rating Developer
Microsoft
Availability
http://technet.microsoft.com/en-us/ security/cc184924.aspx
MBSA 2.1 is the latest version of Microsoft’s free security and vulnerability assessment scan tool for administrators, security auditors, and IT professionals. MBSA 2.1 offers Windows Vista and Windows Server 2008 compatibility, a revised user interface, 64-bit support, improved Windows Embedded support, and compatibility with the latest versions of the Windows Update Agent based on MU. MBSA 2.1 is also compatible with MU, Windows Server Update Services 2.0 and 3.0, the SMS Inventory Tool for Microsoft Update, and SCCM 2007.
IA Tools Report
31
Vulnerability Analysis Tools
McAfee® Vulnerability Manager Abstract McAfee Vulnerability Manager (formerly McAfee Foundstone Enterprise) uses a priority-based approach that combines vulnerability, asset data, and countermeasures to help you make more informed decisions. It uses threat intelligence and correlation data to determine how emerging threats and vulnerabilities on networked systems affect your risk profile, so that you deploy resources where they are needed most. Improve operational efficiency and security protection while meeting tough mandates outlined in SOX, FISMA, HIPAA, and PCI DSS. Vulnerability Manager is available as software or a secure, hardened appliance. Both increase the efficiency of your existing resources, resulting in a low cost of ownership. If you prefer a hosted option, choose the McAfee Vulnerability Management Service. It performs credential-based scans of UNIX, Cisco IOS, and Microsoft Windows platforms for correct patching. The Content Release Calendar provides automatic updates, including new OS support, vulnerability scan scripts, and compliance checks. Vulnerability Manager integrates with your existing technologies and with other McAfee products, leveraging your investments. McAfee® Network Security Platform correlates Vulnerability Manager data to inform you of the most relevant threats targeting your systems. McAfee Risk and Compliance Manager (formerly McAfee Preventsys®) collects data from Vulnerability Manager to calculate risks, monitor risk scores, and automate compliance reporting. McAfee ePolicy Orchestrator® feeds asset and system protection data into Vulnerability Manager for accurate assessments.
32
IA Tools Report
McAfee Vulnerability Manager Type
Vulnerability and Patch Management
Operating System
Windows Server 2000 or 2003
Hardware Requirements
Dual core or dual processor CPU at 2 GHz, RAM 2 GB, 80 GB disk space, ethernet interface. Preconfigured vendor supplied appliances also available.
License
Commercial
NIAP Validated Common Criteria Rating Developer
McAfee
Availability
http://www.mcafee.com/us/enterprise/ products/risk_and_vulnerablity_ management/vulnerability_manager.html
Vulnerability Analysis Tools
Metasploit Abstract The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler. The framework consists of tools, libraries, modules, and user interfaces. The basic function of the framework is a module launcher, allowing the user to configure an exploit module and launch it at a target system. If the exploit succeeds, the payload is executed on the target and the user is provided with a shell to interact with the payload.
Metasploit Type
Network Scanning
Operating System
Windows, Linux, Mac
Hardware Requirements License
Open Source
NIAP Validated Common Criteria Rating Developer
Metasploit, LLC
Availability
http://www.metasploit.com/home/
IA Tools Report
33
Vulnerability Analysis Tools
N-Stalker® Web Application Security Scanner Abstract N-Stalker Web Application Security Scanner 2009 is a Web Security Assessment solution developed by N-Stalker. By incorporating the “N-Stealth HTTP Security Scanner” and its 39,000 Web Attack Signature database, along with a patent-pending Component-oriented Web Application Security Assessment technology, N-Stalker is a security tool for developers, system/security administrators, IT auditors, and staff.
Features XXN-Stalker is a security assessment tool designed to
crawl and evaluate custom Web Applications. It does not rely on out-of-box signatures. XXN-Stalker is used for either custom or out-of-shelf Web applications, including large financial customers, government agencies, foreign intelligence services, and armed forces. XXN-Stalker will inspect common Web application vulnerabilities, including Open Web Application Security Project Top 10, Common Weakness Enumeration Top 25 (see cwe.mitre.org), and a wide range of issues that affect overall security. XXN-Stalker will scan for both Web server infrastructure and application layers. Currently, there are more than 39,000 Web attack signatures included in our database to identify weakness in a Web server and third-party software components. XXN-Stalker implements its own patent-pending “component-oriented Web application security analysis” technology, an assessment methodology.
34
IA Tools Report
N-Stalker Web Application Security Scanner Type
Web Application Scanning
Operating System
Windows (Windows 2000 or later)
Hardware Requirements
1 GB RAM, 500 MB disk space
License
Commercial, Free
NIAP Validated Common Criteria Rating Developer
N-Stalker
Availability
http://nstalker.com/products
Vulnerability Analysis Tools
nCircle® IP360 Abstract As a component of nCircle’s security risk and compliance management suite, IP360 is a vulnerability and risk management system, enabling enterprises and government agencies to costeffectively measure and manage their security risk. IP360 comprehensively profiles all networked devices and their applications, vulnerabilities, and configurations, and includes coverage for over 25,000 conditions (operating systems, applications, vulnerabilities, and configurations), providing the ideal foundation for assessing every system on the network. IP360’s agentless architecture is designed for rapid deployment and ease of management across large, globally distributed networks.
nCircle IP360 Type
Vulnerability and Patch Management
Operating System
N/A
Hardware Requirements
Vendor supplied scanning appliance
License
Commercial
NIAP Validated
Yes
Common Criteria Rating
EAL3 – May 16, 2005
Developer
nCircle
Availability
http://www.ncircle.com/index. php?s=products_ip360
Features XXComprehensive, agentless discovery and profiling
of all network assets for over 25,000 conditions; XXEnterprise scalability, ease of deployment, and
operational effectiveness; XXIntegrated network topology risk analysis for
identifying the highest priority vulnerabilities; XXIntegrated Web application scanning to identify
security risk in Web applications; XXFlexible reporting across all levels of the enterprise.
IA Tools Report
35
Vulnerability Analysis Tools
Nessus® Vulnerability Scanner Abstract The Nessus vulnerability scanner is an active scanner, featuring high-speed discovery, asset profiling, and vulnerability analysis of the user’s security posture. Nessus scanners can be distributed throughout an entire enterprise, inside demilitarized zones, and across physically separate networks. They can also be made available for ad hoc scanning, daily scans, and quick-response audits. When managed with the Security Center, vulnerability recommendations can be sent to the responsible parties, remediation can be tracked, and security patches can be audited.
Features XXAgentless scanning (patch and
configuration auditing), XXHigh-speed vulnerability identification, XXComplete network assessment and discovery.
36
IA Tools Report
Nessus Vulnerability Scanner Type
Network Scanning
Operating System
Windos, Linux, Mac OS, Unix
Hardware Requirements License
Commercial – Free for personal use
NIAP Validated Common Criteria Rating Developer
Teneble Network Security
Availability
http://www.nessus.org/nessus/
Vulnerability Analysis Tools
NetIQ® Secure Configuration Manager Abstract NetIQ Secure Configuration Manager audits system configurations and compares them to corporate policies, previous snapshots, and/or other systems. It also leverages this configuration information to reliably identify vulnerabilities and exposures, using the latest security updates. NetIQ Secure Configuration Manager allows you to demonstrate regulatory compliance and manage IT risks via scored reporting to direct remediation efforts toward issues of highest priority.
Features
NetIQ Secure Configuration Manager Type
Vulnerability and Patch Management
Operating System
Windows XP Pro, 2000, 2003 Server
Hardware Requirements License
Commercial
NIAP Validated
Yes
Common Criteria Rating
EAL2 – July 09, 2007
Developer
netIQ
Availability
http://www.netiq.com/products/vsm/ default.asp
XXNetIQ ensures configuration changes are
identified and controlled. Secure Configuration Manager creates an inventory and baseline of existing system configurations, then compares results against a standard configuration image to highlight deviations. XXSecure Configuration Manager contains packaged security policy templates that align with regulations and standards, providing the intelligence necessary to document and demonstrate compliance with auditors. Rolebased exception and workflow management helps enforce secure separation of duties. XXNetIQ Secure Configuration Manager identifies systems exposed to and/or compromised by the latest exploits, including worms, viruses, and blended threats. XXAcross the enterprise, NetIQ Secure Configuration Manager measures the level of threats posed by vulnerabilities and compliance exceptions weighted by the importance of managed assets. XXNetIQ Secure Configuration Manager is SCAP Validated and NIAP Common Criteria certified, ensuring it meets the most stringent federal government guidelines on interoperability and secure design.
IA Tools Report
37
Vulnerability Analysis Tools
Network Mapper (Nmap®) Abstract Network Mapper (Nmap) is a free open-source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw Internet protocol (IP) packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what OSs (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers, and console and graphical versions are available.
Features XXFlexible—Nmap supports dozens of advanced
techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. XXPowerful—Nmap has been used to scan huge networks of literally hundreds of thousands of machines. XXPortable—Most operating systems are supported, including Linux, Microsoft Windows, and Unix based systems. XXEasy—Although Nmap offers a rich set of advanced features for power users, the user can start out as simply as nmap -v -A targethost. Both traditional command line and graphical user interface (GUI) versions are available to suit your preference. XXFree—Nmap is available for free download, and also comes with full source code that the user may modify and redistribute under the terms of the license. XXWell Documented—Significant effort has been put into comprehensive and up-to-date pages, white papers, and tutorials. XXSupported—Although Nmap comes with no warranty, it is well supported by the community.
38
IA Tools Report
Network Mapper (Nmap) Type
Network Scanning
Operating System
Linux, MS Windows, Unix
Hardware Requirements License
Open Source
NIAP Validated Common Criteria Rating Developer
Insecure.org
Availability
http://nmap.org/
Vulnerability Analysis Tools
Nikto v2.03 Abstract
XXUsers can add a custom scan database,
Nikto is an Open Source (general public license) Web server scanner that performs comprehensive tests against Web servers for multiple items, including over 3,500 potentially dangerous files/common gateway interfaces (CGI), versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated.
XXSupports automatic code/check updates (with
Features XXUses rfp’s LibWhisker as a base for all
network funtionality, XXMain scan database in comma separated variable
(CSV) format for easy updates, XXFingerprint servers via favicon.ico files, XXDetermines “OK” vs “NOT FOUND” responses for file type, if possible, XXDetermines CGI directories for each server, if possible, XXSwitch hypertext transfer protocol (HTTP) versions as needed so that the server understands requests properly, XXSecure Sockets Layer Support (Unix with OpenSSL or maybe Windows with ActiveState’s Practical Extraction and Report Language [PERL]/NetSSL), XXOutput to file in plain text, HTML or CSV, XXPlugin support (standard PERL), XXChecks for outdated server software, XXProxy support (with authentication), XXHost authentication (Basic), XXWatches for “bogus” OK responses, XXAttempts to perform educated guesses for Authentication realms, XXCaptures/prints any Cookies received, XXMutate mode to “go fishing” on Web servers for odd items, XXBuilds Mutate checks based on robots.txt entries (if present), XXScan multiple ports on a target to find Web servers (can integrate Nmap for speed, if available), XXMultiple intrusion detection system evasion techniques,
Web access), XXMultiple host/port scanning (scan list files), XXUsername guessing plugin via the cgiwrap
program and Apache user methods. Nikto v2.03 Type
Web Application Scanning
Operating System
Unix, Linux, Windows
Hardware Requirements License
Open Source
NIAP Validated Common Criteria Rating Developer
Cirt.net
Availability
http://www.cirt.net/nikto2
IA Tools Report
39
Vulnerability Analysis Tools
Orascan Abstract OraScan is a multi-environment auditing application developed to assess the security of Oracle Web applications. The finely detailed level of auditing supported by OraScan allows systems administrators and security professionals to gain full control of security issues surrounding online applications and front-end servers.
Orascan Type
Database Scanning
Operating System
Microsoft Windows 2003, Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows NT Version 4.0 (Service Pack 4)
Hardware Requirements License
OraScan performs robust, in-depth security vulnerability audits, seeking out potential problem areas such as— XXSQL injection, XXXSS, XXPoor Web server configuration.
In addition, OraScan can be deployed to audit the configuration of Internet authentication service Web servers, ensuring that the Web application portion of your database software architecture is free of any security weaknesses.
40
IA Tools Report
Commercial
NIAP Validated Common Criteria Rating Developer
Next Generation Security Software
Availability
http://www.ngssoftware.com/products/ internet-security/orascan.php
Vulnerability Analysis Tools
Paros Proxy v3.2.0Alpha Abstract Paros Proxy v3.2.0Alpha is a Java-based Web proxy for assessing Web application vulnerability. It supports editing/viewing HTTP/HTTP Secure (HTTPS) messages on the fly to change items such as cookies and form fields. It includes a Web traffic recorder, Web spider, hash calculator, and a scanner for testing common Web application attacks, such as SQL injection and XSS.
Paros Proxy v3.2.0Alpha Type
Web Application Scanning
Operating System
All OSs supporting Java 1.4+
Hardware Requirements
N/A
License
Freeware
NIAP Validated Common Criteria Rating Developer
Paros
Availability
http://www.parosproxy.org/index.shtml
IA Tools Report
41
Vulnerability Analysis Tools
Proventia® Network Enterprise Scanner Abstract Proventia Network Enterprise Scanner is the next generation of the Internet scanner vulnerability assessment tool. Proventia Network Enterprise Scanner is a vulnerability protection system for the entire network that is enhanced with an integrated workflow vulnerability management subsystem and Proventia Enterprise Scanner that enables the user to drive protection measures throughout an infrastructure.
Features XXVulnerability assessment, XXComplete vulnerability management
and protection,
• Scan and block capabilities through Proventia Network Enterprise Scanner and Proventia Network Intrusion Prevention System, • Correlation through the SiteProtector Security Fusion module. Proventia Network Enterprise Scanner Type
Network Scanning
Operating System
N/A
Hardware Requirements
Vendor supplied scanning appliance
License
Commercial
NIAP Validated
XXScanning-optimized Linux kernel,
Common Criteria Rating
XXHardened and secure,
Developer
IBM
Availability
http://www-935.ibm.com/services/us/index. wss/offering/iss/a1027216
XXMultiple scan ports, XXApplication fingerprinting, XXWorkflow, XXReporting, XXAsset identification, XXAsset classification, XXScan windows, XXAutomation, XXScan load balancing/teaming, XXFlexible deployment options, XXFlexible policy management, XXWeb-based local management, XXCentralized management mystem: Proventia
Network Scanner is centrally managed using Proventia Management SiteProtector. SiteProtector is a scalable system that allows staff to control, monitor, and analyze events from a centralized console. SiteProtector improves security through correlation and integration with other security products, including— • Active/passive scanning through Proventia Network Enterprise Scanner and Proventia Network Anomaly Detection,
42
IA Tools Report
Vulnerability Analysis Tools
proVM Auditor Abstract Prolific Solutions’ proVM Auditor is a vulnerability management tool that uses the output from multiple vulnerability and compliance scanners and aggregates the information into a single view. proVM Auditor presents vulnerability data in meaningful views via a vulnerability matrix that makes managing, tracking, and resolving vulnerabilities simpler and less resource-intensive.
Features XXExpedites compliance reviews XXMaps vulnerabilities to DoD 8500.2 IA Controls XXFacilitates/standardizes C&A processes
proVM Auditor Type
Vulnerability and Patch Management
Operating System
Windows
Hardware Requirements
N/A
License
Commercial
NIAP Validated Common Criteria Rating Developer
Prolific Solutions
Availability
http://www.prolific-solutions.net/products. htm
XXStreamlines administration efforts XXStandard views of vulnerability data XXReduces manual compliance efforts XXSmall footprint; simple to use; does not
require installation XXAccepts scanner output from the following
Vulnerability Scanners: • eEye Retina • Lumension PatchLink • DISA SRRs • DISA Gold Disk • Application Security AppDetective • Tenable Nessus • Nmap • Other tools commercial or private can be added upon request
IA Tools Report
43
Vulnerability Analysis Tools
QualysGuard® Vulnerability Management Abstract
XXEasy access to concise, auto-generated reports
QualysGuard Vulnerability Management (VM) automates the life cycle of network auditing and vulnerability management across the enterprise, including network discovery and mapping, asset prioritization, vulnerability assessment reporting, and remediation tracking according to business risk. QualysGuard delivers continuous protection against the latest worms and security threats without the substantial cost, resource, and deployment issues associated with traditional software. As an on demand Software-as-a-Service (SaaS) solution, there is no infrastructure to deploy or manage.
via a Web browser; XXExecutive Dashboard provides real-time illustration of risk; XXGraph and trend reports for managers; XXDetailed technical reports with verified remediation actions for technicians; XXSANS Top 20 Report provides industry baseline; XXRisk analysis report predicts the likelihood of exposure; XXCVE and Security Focus-linked and Bugtraqreferenced vulnerability checks with detailed remediation instructions; XXCustomizable reports for flexible, on demand reporting by business units for executives and managers; XXExport reports to HTML, Microsoft Hypertext Archive, portable document format, CSV, and XML formats.
QualysGuard VM enables small to large organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities, including severity levels, time-to-fix estimates, and impact on business, plus trend analysis on security issues.
Features XXVulnerability KnowledgeBase that incorporates
over 6,000 unique checks; XXNon-intrusive detection techniques; XXInference-based scanning engine; XXAuthenticated or unauthenticated scanning capabilities; XXInternal and external scanning; XXScans are configurable for optimum performance and minimum network load.; XXUnique fingerprints for over 2,000 operating systems, applications, and protocols; XXCustomization of scans to scan for specific ports/ services and specific vulnerabilities; XXSchedule and automated network discovery and vulnerability scan tasks on a daily, weekly, or monthly basis; XXAutomated daily updates to the QualysGuard vulnerability KnowledgeBase;
44
IA Tools Report
QualysGuard Vulnerability Management Type
Network Scanning
Operating System
N/A
Hardware Requirements
Vendor supplied scanning appliance
License
Commercial
NIAP Validated Common Criteria Rating Developer
Qualys
Availability
http://www.qualys.com/products/qg_suite/ vulnerability_management/
Vulnerability Analysis Tools
Rational AppScan® Abstract IBM Rational Web application security software helps IT and security professionals protect against the threat of attacks and data breaches. Involving more testers in the application security process results in higher quality, more secure applications at a reasonable cost. Rational offers Web application security solutions, including new malware detection capabilities, through the IBM Rational AppScan family of products. AppScan can be used for vulnerability scanning in all stages of application development and by testers with or without security expertise.
Rational AppScan Type
Web Application Scanning
Operating System
Windows XP, Server 2003
Hardware Requirements
3 GHz CPU, 2 GB+ RAM, 200 MB disk space for installation plus at least 10 GB free space for logs
License NIAP Validated Common Criteria Rating Developer
IBM – Rational
Availability
http://www-01.ibm.com/software/ awdtools/appscan/
Features XXAppScan Build Edition—Embeds Web
application security testing into the build management workflow, XXAppScan Developer Edition—Automates application security scanning for non-security professionals, XXAppScan Enterprise Edition—Web-based, multiuser solution providing centralized application security scanning and reporting, XXAppScan Express Edition—Provides affordable Web application security for smaller organizations, XXAppScan OnDemand—Identifies and prioritizes Web Application Security vulnerabilities via SaaS Model, XXAppScan OnDemand Production Site Monitoring— Monitors production Web content and sites for security vulnerabilities via SaaS Model, XXAppScan Reporting Console—Provides centralized reporting on Web application vulnerability data, XXAppScan Standard Edition—Desktop solution to automate Web application security testing, XXAppScan Tester Edition—Integrated Web application security testing in the quality assurance process.
IA Tools Report
45
Vulnerability Analysis Tools
Retina Network Security Scanner Abstract Retina Network Security Scanner is a professionalgrade security solution with a lengthy track record of success. Retina contains all the integrated security and threat management tools needed to effectively identify and remediate the network vulnerabiities that lead to exposure and malicious attacks.
Features XXDiscovers the assets in the network infrastructure,
including operating system platforms, networked devices, databases, and third party or custom applications. Retina also discovers wireless devices and their configurations, ensuring these connections can be audited for the appropriate security settings. Additionally, Retina scans active ports and confirms the services associated with those ports. XXImplements corporate policy driven scans to audit internal security guidelines and ensure that configuration requirements are enforced and comply with defined standards. These custom scans can also assist with meeting any regulatory compliance requirements (e.g., SOX, HIPPAA, GLB, PCI) customers may face. XXRemotely identifies system level vulnerabilities to mimic an attacker’s point of view, providing information that an outsider would see about a network. These remote checks do not require administrator rights, providing an accurate assessment, with fewer resources required to scan across departments, locations, or geographies. XXIncorporates a comprehensive vulnerabilities database and scanning technology, allowing users to proactively secure their networks against attacks. XXUpdates are automatically uploaded at the beginning of each Retina session.
46
IA Tools Report
Retina Network Security Scanner Type
Network Scanning
Operating System
Windows
Hardware Requirements
256 MB RAM. Vendor-supplied appliance also available.
License
Commercial
NIAP Validated Common Criteria Rating Developer
eEye Digital Security
Availability
http://www.eeye.com/html/products/retina/ index.html
Vulnerability Analysis Tools
SAINT Abstract SAINT’s Web-like, easy-to-use, GUI makes it easy to scan networks. Every live system on the network is screened for TCP and user datagram protocol (UDP) services. For each service it finds running, it launches a set of probes designed to detect anything that could allow an attacker to gain unauthorized access, create a denial of service, or gain sensitive information about the network. When vulnerabilities are detected, SAINT categorizes the results in several ways, allowing users to target the data they find most useful. SAINT can group vulnerabilities according to severity, type, or count. It can provide information about a particular host or groups of hosts. SAINT describes each of the vulnerabilities it locates and references CVE or Information Assurance Vulnerability Alerts (IAVA), as well as CERT advisories.
SAINT Type
Network Scanning
Operating System
Unix/Linux platform
Hardware Requirements
256 MB RAM, 150 MB disk space. Vendor-supplied appliances also available.
License
Commercial
NIAP Validated Common Criteria Rating Developer
Saint Corporation
Availability
http://www.saintcorporation.com/products/ data_sheets/SAINT_data_sheet.pdf
Features XXIncludes flexible/customizable scanning
options, including SANS/Federal Bureau of Investigation Top 20; XXScans anything with an IP address running TCP/ IP protocols; XXIncludes extensive documentation and online tutorials; XXIncludes links to patches and new versions of software; XXRuns in remote mode; XXIs easily set up to run unattended using the GUI; XXProvides dynamic reporting capability that allows the user to drill down to get more information about the vulnerability and how to correct it; XXCross-references vulnerabilities to IAVAs; XXScans IPv4 or IPv6 addresses; XXIncludes control panel that allows the user to stop, pause, and resume scans, and to view results in progress while the scan runs; XXIs certified CVE-compatible by MITRE.
IA Tools Report
47
Vulnerability Analysis Tools
Second Look™ Abstract Second Look captures, and forensically preserves, a computer’s volatile RAM. It analyzes the Linux operating system kernel in live memory or via a memory image, verifying its integrity and searching for signs of rootkits or other subversive software that have modified the executable kernel code or kernel data structures. With Second Look, analysts and investigators have a tool that provides a comprehensive view of a system, uninfluenced by any malware that might be running on it. Information pulled directly out of memory includes running processes, active network connections, loaded kernel modules, and many other essential system parameters. Second Look uncovers hidden kernel modules, processes, and network activity. Second Look integrates a real-time disassembler that allows inspection of any function or segment of kernel memory. As threats to computer systems continue to increase in sophistication, traditional post-mortem (dead box) forensic analysis of hard disk contents is no longer sufficient. Advanced exploits allow for the implantation of rootkits and backdoors directly in memory, without an actual file ever touching the disk. Volatile memory must be acquired in a trustworthy fashion, and analyzed with security software such as Second Look.
48
IA Tools Report
Second Look Type
Host Scanning
Operating System
Linux
Hardware Requirements License
Commercial
NIAP Validated Common Criteria Rating Developer
Pikewerks
Availability
http://pikewerks.com/sl
Vulnerability Analysis Tools
SecureScout® NX Abstract SecureScout NX is a third-generation scanning solution that performs real-time testing of global networks and firewalls. The architecture of SecureScout NX implements a centralized console to manage remote test engines and probes, enabling users to quickly and repeatedly scan and report vulnerabilities in distributed networks from a single location. SecureScout NX gives the user an impartial view of whether firewalls have been configured correctly to comply with security policies and protect the network.
SecureScout NX Type
Network Scanning
Operating System
Windows 2000 SP3/SP4, Windows XP SP1/SP2/SP3, Windows Server 2003 SP1/SP2 (32-bit versions of Windows only)
Hardware Requirements License
Commercial
NIAP Validated Common Criteria Rating Developer
NetVigilance
Availability
http://www.netvigilance.com/nx
SecureScout NX tests highlight information exposed to the outside world that cyber criminals could misuse to attack the organization. Diligent assessment of internal systems enables an organization to manage security risks and reduce potential liability. SecureScout NX delivers the knowledge needed to protect critical information from intruders and prepare countermeasures, making it difficult for attackers to get in. NetVigilance’s security experts continually research information sources for new vulnerabilities, and a secure Web service site automatically updates SecureScout NX. Through differential reporting, users can benchmark their security level at various points in time.
IA Tools Report
49
Vulnerability Analysis Tools
SecureScout® Perimeter Abstract The SecureScout Perimeter service probes Internetconnected systems for vulnerabilities before hackers find them. It identifies holes in an Internet infrastructure, scanning beyond the firewall to any device with an IP address.
SecureScout Perimeter Type
Network Scanning
Operating System
Windows 2000 SP3/SP4, Windows XP SP1/SP2/SP3, Windows Server 2003 SP1/SP2 (32-bit versions of Windows only)
Hardware Requirements License
Commercial
NIAP Validated Common Criteria Rating
50
IA Tools Report
Developer
NetVigilance
Availability
http://www.netvigilance.com/perimeter
Vulnerability Analysis Tools
Security Auditor’s Research Assistant (SARA) v7.9.1 Abstract
Security Auditor’s Research Assistant (SARA) v7.9.1
The Security Auditor‘s Research Assistant (SARA) is a third-generation network security analysis tool.
Type
Network Scanning
Operating System
Unix, Linux, Windows (through CoLinux)
Features XXOperates under Unix, Linux, Mac OS/X or
Windows (through coLinux) OS, XXIntegrates the NVD, XXAdapts to many firewalled environments, XXSupports remote self-scan and application programming interface facilities, XXIs used for the Center for Internet Security benchmark initiatives, XXIncludes plug-in facility for third-party applications, XXIncludes CVE standards support (20040901), XXHas enterprise search module, XXHas stand-alone or daemon mode, XXOffers free-use open SATAN-oriented license, XXIs updated twice a month, XXProvides user extension support, XXBased on the SATAN model.
Hardware Requirements License
Freeware
NIAP Validated Common Criteria Rating Developer
Advanced Research Corporation
Availability
http://www-arc.com/sara/
Advanced Research‘s philosophy relies heavily on software reuse. Rather than inventing a new module, SARA is adapted to interface with other community products. For instance, SARA interfaces with the popular Nmap package for superior operating system fingerprinting. Also, SARA provides a transparent interface to SAMBA for session message block security analysis. SARA is no longer being developed, and v7.9.1 is the final release.
IA Tools Report
51
Vulnerability Analysis Tools
Security Administrator’s Tool for Analyzing Networks (SATAN) Abstract Security Administrator‘s Tool for Analyzing Networks (SATAN) scans systems connected to the network noting the existence of well-known, often-exploited vulnerabilities. It examines a remote host or set of hosts and gathers as much information as possible.
Security Administrator‘s Tool for Analyzing Networks (SATAN) Type
Network Scanning
Operating System
Unix/Linux
Hardware Requirements License
Freeware
NIAP Validated Common Criteria Rating
52
IA Tools Report
Developer
Dan Farmer and Wietse Venema
Availability
http://ftp.cerias.purdue.edu/pub/tools/unix/ scanners
Vulnerability Analysis Tools
SNScan v1.05 Abstract SNScan is a Windows-based simple network management protocol (SNMP) detection utility that can quickly and accurately identify SNMP-enabled devices on a network. This utility can effectively indicate devices that are potentially vulnerable to SNMP-related security threats.
SNScan v1.05 Type
Network Scanning
Operating System
Windows
Hardware Requirements License
Freeware
NIAP Validated
SNScan allows for the scanning of SNMP-specific ports (e.g., UDP 161, 193, 391, and 1993) and the use of standard (i.e., public) as well as user-defined SNMP community names. User-defined community names may be used to more effectively evaluate the presence of SNMP-enabled devices in more complex networks.
Common Criteria Rating Developer
Foundstone (A Division of McAfee)
Availability
http://www.foundstone.com/us/resources/ proddesc/snscan.htm
SNScan is intended for use by system and network administrators as a fast and reliable utility for information gathering. Although not indicating whether SNMP-enabled devices are vulnerable to specific threats, SNScan can quickly and accurately identify potential areas of exposure to SNMPrelated vulnerabilities.
IA Tools Report
53
Vulnerability Analysis Tools
ThreatGuard® Secutor Magnus Abstract Secutor Magnus is designed specifically to meet the Common Security Configurations requirements set forth by the Office of Management and Budget (OMB). Built for the Information Security Automation Program established by NIST, Magnus fully supports a wide-scale action plan to quickly and continually show that an organization has compliance under control. The entire Secutor line of automated content tools provides standardized assessments, contentdriven remediation, and complete mappings to driving requirements with options to easily document deviations from those requirements.
Features XXTest NIST configurations to identify adverse
effects on system functionality, XXAutomated enforcement, XXRestrict administration to
authorized professionals, XXEnsure new acquisitions use standard configurations, XXPatches, XXAutomatically determines if computers have all required security patches, XXPerforms vulnerability assessment of operating system and major applications, XXProvide documentation of deviations with rationale.
54
IA Tools Report
ThreatGuard Secutor Magnus Type
Vulnerability and Patch Management
Operating System
Windows
Hardware Requirements
Vendor Supplied appliance also available
License
Commercial
NIAP Validated Common Criteria Rating Developer
Threatguard
Availability
http://www.threatguard.com/products.htm
Vulnerability Analysis Tools
Triumfant Resolution Manager® Abstract
XXCompliance Management—Triumfant Resolution
Triumfant Resolution Manager continuously scans for unusual changes that are consistent with the behavior and structure of malicious applications. These include unusual auto-start methods, stealth techniques such as those used by root kits, and unusual firewall exceptions. As a result, malicious attacks that are not detected by traditional signature based tools are recognized by Triumfant in real time, along with all of the changes to the machine associated with the attack. Resolution Manager immediately applies its deep analytics to verify that it is indeed an attack and assesses the full extent of the threat.
Manager applies security policies that are customizable from the departmental level down to individual machines. Triumfant also provides policy templates for specific security mandates, such as FDCC SCAP compliance and PCI compliance. XXVulnerability Management—Triumfant uses the NIST SCAP vulnerability database to scan each computer for known software vulnerabilities, identifying where missing patches create a security exposure. XXWhitelist/Blacklist Management—Triumfant deletes unauthorized software from endpoint computers, and builds custom remediations to ensure that no malicious code is left behind by the deleted application.
Resolution Manager uses its diagnosis of the problem and knowledge of the changes to the machine to synthesize a surgical remediation. These remediations do not delete the malicious executable; they repair the damage from the attack, effectively eliminating the need for costly re-imaging. The information about the attack and the remediation is captured so that Resolution Manager can scan the entire population for any other occurrences of the attack, and remediate machines where the attack is detected. Triumfant provides a comprehensive set of reports that deliver visibility into the security readiness of the endpoint environment from an executive summary view down to the details of each machine.
Triumfant Resolution Manager Type
Vulnerability and Patch Management
Operating System Hardware Requirements License
Commercial
NIAP Validated
Yes
Common Criteria Rating
EAL2+ – March 31, 2009
Developer
Triumfant
Availability
http://www.triumfant.com/products.asp
Features XXMalware detection—The ability to detect changes
at a granular level allows Triumfant to detect, analyze, and remediate malicious attacks in real-time without the need for signatures or any prior knowledge of the attack. XXSecurity Configuration Management—Triumfant verifies that the organization’s standard portfolio of endpoint security software is correctly deployed.
IA Tools Report
55
Vulnerability Analysis Tools
Typhon III Abstract Typhon III is a tool that identifies infrastructure and Web application. Capabilities include the fast and accurate identification of current and historical security vulnerabilities; the nonintrusive vulnerability scanner provides secure quality protection against current threats, including—
Typhon III Type
Web Application Scanning
Operating System
Windows 2003, 200, XP, NT 4.0 SP6a
Hardware Requirements
500 MHz CPU, 512 MB RAM, 20 MB disk space (minimum)
License
Commercial
XXRootkits,
NIAP Validated
XXPhishing, XXSQL Injection,
Common Criteria Rating
XXPharming,
Developer
Next Generation Security Software
Availability
http://www.nextgenss.com/products/ internet-security/ngs-typhon.php
XXConfidential Data Theft.
By providing a comprehensive security audit of all hosts in the network, from routers and printers through Web and database servers, Typhon III helps the network to stay secure from threats. Exposing weak passwords in a variety of protocols, it contains a full range of checks for common vulnerabilities and configuration errors. Typhon III can also audit Web applications using its integrated Web spider, a device that will locate every page and script on a Web site (even hidden, unlinked, and test files) and rigorously test for SQL injection and XSS flaws.
56
IA Tools Report
Vulnerability Analysis Tools
WebInspect Abstract HP WebInspect software is a Web application security assessment software designed to analyze today’s complex Web applications. It delivers fast scanning capabilities, broad assessment coverage, extensive vulnerability knowledge, and accurate Web application scanning results.
Features XXStatically analyze client-side Adobe
Flash applications; XXProduce faster scans and more accurate results
through the Simultaneous Crawl and Audit (SCA) technology; XXReduce false positives using Intelligent Engines designed to imitate a hacker’s methodology; XXIncrease testing throughput with support for multiple concurrent scans; XXEnter a URL, username, and password to quickly initiate a simple scan for immediate results; XXInnovative scan profiler assists you in optimizing the scan configuration to maximize the effectiveness and accuracy of the scan; XXDepth-first crawling option for Web sites that enforce order-dependent navigation; XXFingerprinting of Web framework using Smart Assessment technology to reduce unnecessary attacks.
HP WebInspect Type
Web Application Scanning
Operating System
Windows
Hardware Requirements License
Commercial
NIAP Validated Common Criteria Rating Developer
Hewlett Packard
Availability
https://h10078.www1.hp.com/cda/hpms/ display/main/hpms_content.jsp?zn=bto& cp=1-11-201-200^9570_4000_100__
IA Tools Report
57
Vulnerability Analysis Tools
WebScarab Abstract WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S)-based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.
58
IA Tools Report
WebScarab Type
Web Application Scanning
Operating System
Windows, Linux, Mac, Unix
Hardware Requirements License
Freeware
NIAP Validated Common Criteria Rating Developer
Rogan Dawes of Corsaire Security
Availability
http://www.owasp.org/index.php/ Category:OWASP_ WebScarab_Project
SECTION 6
u
Related Resources
This provides additional references: books, Web sites, articles, and papers. References 1. Carnegie Mellon Software Engineering Institute CERT Coordination Center (n.d.). CERT/CC Statistics 1988-2008. http://www.cert.org/stats/ cert_stats.html. (Accessed June 3, 2009). 2. Homeland Security Advisory Council. Report of the Critical Infrastructure Task Report, January 2006. 3. Merriam-Webster Online Dictionary. http://www. merriam-webster.com/. (Accessed June 5, 2009). 4. Schultze, E. “Thinking Like a Hacker.” March 2002. http://pdf.textfiles.com/security/thinkhacker.pdf. (Accessed June 5, 2009). 5. Storms, Andrew (SANS Institute). “Using Vulnerability Tools To Develop an OCTAVE Risk Profile.” December 2003. http://www.sans.org/ reading_room/whitepapers/auditing/1353.php?por tal=813b67045603408ee90700647. Retrieved 13 March 2007. 6. U.S. Government, Intelligence Community. Analytical Risk Management: A Course Guide for Security Risk Management, May 2003. 7. U.S. Government, National Institute of Standards and Technology, National Vulnerability Database. Security Content Automation Protocol Validated Products. http://nvd.nist.gov/scapproducts.cfm. (Accessed June 3, 2009). 8. U.S. Government, White House. Cyberspace Policy Review. http://www.whitehouse.gov/assets/ documents/Cyberspace_Policy_Review_final.pdf (Accessed June 5, 2009). 9. Spiegal Online International. “Away From the Politics of Fear” – Interview with Homeland Security Secretary Janet Napolitano. http://www. spiegel.de/international/world/0,1518,613330,00. html. (Accessed June 5, 2009).
10. SRI International; Phillip Porras, Hassen Saidi, and Vinod Yegneswaran. An Analysis of Conficker’s Logic and Rendezvous points http:// mtc.sri.com/conficker. Updated March 19, 2009. (Accesed June 10, 2009). 11. Conficker working Group Home page. http://www. confickerworkinggroup.org/wiki/pmwiki.php 12. Cyber Secure Institute. Cyber Secure Institute on the Conficker Controversy. http:// cybersecureinstitute.org/blog/?p=15. (Accessed June 11, 2009). 13. Gregory Braunton, SANS institute. “B.A.S.E – A Security Assessment Methodology”. http://www. sans.org/reading_room/whitepapers/auditing/ b_a_s_e_–_a_security_assessment_ methodology_1587. (Accessed June 11, 2009). 14. Chairman of the Joint Cheifs of Staff of the Armed Forces. Joint Publication 3-13: Information Operations. February 13, 2006.
IA Tools Report
59
SECTION 7
u
Recommended Resources
Alberts, Christopher and Audrey Dorofee. Managing Information Security Risks: The OCTAVE Approach. Boston: Addison Wesley Professional, 2003. Braunton, Gregory (SANS Institute). B.A.S.E.—A Security Assessment Methodology, September 2004. Open Vulnerability Assessment Language http://oval.mitre.org Peltier, Thomas R., J. Peltier, and J.A.Blackley. Managing a Network Vulnerability Assessment. Boca Raton, FL: CRC Press LLC, 2003. Stoneburner, G., A. Goguen, and A. Feringa. Special Publication 800-30—Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology (NIST), 2002. U.S. Government, Intelligence Community. Analytical Risk Management: A Course Guide for Security Risk Management, 2003. U.S. Government, Department of Commerce. “Publication 199 - Standards for Security Categorization of Federal Information and Information Systems.” Federal Information Processing Standards (FIPS), 2004. U.S. Government, National Institute of Standards and Technology, National Vulnerability Database. Security Content Automation Protocol Validated Products. http://nvd.nist.gov/scapproducts.cfm.
IA Tools Report
61
SECTION 8
u
Definitions
XXAll-hazards/Threat—Circumstances, events, or
people with the potential to cause harm to a system. The full spectrum of threats and hazards could include natural disasters (e.g., floods, fires, hurricanes), domestic or international criminal activity, accidental disruptions such as construction mishaps. XXCritical Asset—Those assets of such importance to an organization that without them the organization’s ability to execute its mission would be significantly degraded or suffer complete failure. XXFalse Negative—Refers to when a tool fails to find an existing vulnerability. XXFalse Positive—Refers to when a tool finds a vulnerability that does not exist. XXRisk—A function of the likelihood that a specific hazard/threat will exploit a given vulnerability and that the resulting impact of loss of the critical asset will cause significant degradation or even mission failure of the organization. Mathematically written risk is the following:
implementation. Exploitation would negatively affect the confidentiality, integrity, or availability of the system or its data. XXVulnerability Assessment—An examination of the ability of a system or application, including current security procedures and controls, to withstand assault. A vulnerability assessment may be used to a) identify weaknesses that could be exploited; and b) predict the effectiveness of additional security measures in protecting information resources from attack.
Threat x Vulnerability x Impact of Loss = Risk . XXRisk Assessment—The process evaluating the
impact of loss of an asset, the likely and probable threats, and the vulnerabilities of the asset. XXRisk Management—A process for identifying and prioritizing the impact of loss, threats, and vulnerabilities, and making rational decisions regarding the expenditure of resources and the implementation of countermeasures to reduce the risk of loss. XXScanning—A periodic examination of traffic activity, system files and permissions, and overall system configuration to determine whether further processing is required. XXVulnerability—Refers to a weakness in a system’s security scheme, which may include system security procedures, internal controls, or
IA Tools Report
63
SECTION 9
u
Definitions of Acronyms and Key Terms
Acronym or Term
Definition
ACL
Access Control List
ARP
Address Resolution Protocol
CERT
Computer Emergency Response Team
CGI
Common Gateway Interface
COPS
Computer Oracle and Password
COTS
Commercial Off-the-Shelf
CPU
Central Processing Unit
CSV
Comma Separated Variable
CVE
Common Vulnerabilities and Exposures
DHS
Department of Homeland Security
DISA
Defense Information Systems Agency
DoD
Department of Defense
DSII
DominoScan II
DSS
Data Security Standard
DTIC
Defense Technical Information Center
ePO
ePolicy Orchestrator
ESSG
Enterprise-Wide Information Assurance and Computer Network Defense Solutions Steering Group
FDCC
Federal Desktop Core Configuration
FISMA
Federal Information Security Management Act of 2002
GB
Gigabyte
GHz
Gigahertz
GLBA
Gramm-Leach Bliley Act
GUI
Graphical User Interface
HBSS
Host Based Security System
HIPAA
Health Insurance Portability and Accountability Act
HIPS
Host Intrusion Prevention System
HSPD-7
Homeland Security Presidential Directive 7
HTML
HyperText Markup Language
HTTP
Hypertext Transfer Protocol
HTTPS
Hypertext Transfer Protocol Secure
IA
Information Assurance
IAC
Information Analysis Center
IATAC
Information Assurance Technology Analysis Center
IA Tools Report
65
Definitions of Acronyms and Key Terms
Acronym or Term
Definition
IAVA
Information Assurance Vulnerability Alert
IP
Internet Protocol
IPS
Intrusion Prevention System
IT
Information Technology
MB
Megabyte
MBSA
Microsoft Baseline Security Analyzer
MHz
Megahertz
MA
McAfee Agent
MU
Microsoft Update
NIAP
National Information Assurance Partnership
NIST
National Institute of Standards and Technology
Nmap
Network Mapper ®
NVD
National Vulnerability Database
OMB
Office of Management and Budget
OS
Operating System
OVAL
Open Vulnerability Assessment Language
PA
Policy Auditor
PCI
Payment Card Industry
PEO-IAN
Information Assurance/Network Operations Program Executive Office
PERL
Practical Extraction and Report Language
PHP
Hypertext Preprocessor
RAM
Random Access Memory
RSD
Rogue System Detection
SaaS
Software-as-a-Service
SANS
SysAdmin, Audit, Network, Security
SARA
Security Auditor’s Research Assistant
SATAN
Security Administrator’s Tool for Analyzing Networks
SCAP
Security Content Automation Protocol
SCCM
System Center Configuration Manager
SMS
Systems Management Server
SNMP
Simple Network Management Protocol
SOX
Sarbanes-Oxley Act
SQL
Structured Query Language
TCP
Transmission Control Protocol
UDP
User Datagram Protocol
66
IA Tools Report
Definitions of Acronyms and Key Terms
Acronym or Term
Definition
URL
Uniform Resource Locator
VM
Vulnerability Management
WSUS
Windows Server Update Services
XML
eXtensible Markup Language
XSS
Cross-Site Scripting
IA Tools Report
67