Vulnerability Assessment Services

Battling the war on vulnerabilities is a daunting and challenging task given the incredible number of new threats every day. As a pioneer in the vulnerability scanning industry, SAINT can present a complete and accurate picture of the security posture of your infrastructure—delivered to meet the requirements of your entire staff including executives, compliance auditors, network/system administrators and security engineers.

What is a Vulnerability Assessment?

Vulnerability assessment is the process of identifying how vulnerable an infrastructure is to known vulnerabilities—the number one threat to all networks today. The threats/risks found in the vulnerability assessment are ranked and prioritized to expose the current security posture, and to facilitate the remediation process. The first assessment is a baseline snapshot illustrating current threats. The second and subsequent assessments are known as periodic or differential scans, and illustrate trending analysis that answers the question—is our security posture improving over time?

It is important to understand that vulnerabilities exist across most systems and devices throughout the network. Typical assessments include targets that consist of network devices, operating systems, desktop applications, databases, Web applications, printers and almost any device that is attached to the network. Many organizations have specific assessment requirements. SAINT engineers work with customers to help define requirements and goals to ensure that the scope of work/deliverables exceeds expectations.

Assessment Options

Internal/External
Assessment of external public facing IP addresses and URLs is a mandatory requirement for most industries these days, and must be done on a frequent basis. As system and application environments change, and new vulnerabilities are discovered, frequent assessments are needed to ensure that all public facing/external devices and systems are vulnerability free. Internal assessments also need to be performed because internal threats and risks are just as important as external ones. As organizations lock down the external targets, the next challenge is the internal side, which typically encompasses a greater number of targets. Performing internal assessments provides proof that your team is determined to improve the overall security posture regardless of what side of the network the threat originates from.
Authenticated/Unauthenticated
Numerous methods of writing vulnerability checks are included with the vulnerability scanner. Depending upon the research available, in many cases authentication credentials are needed in order to accurately assess the severity of the target. This is known as authenticated or credentialed based scanning. Authenticated assessments provide more comprehensive and accurate results; they also check system and registry related types of risks. This option is encouraged on a periodic basis to understand the true vulnerability posture of your network.
Assessment Policy/Configuration
In order to ensure an accurate and useful report, A SAINT engineer will work with the customer to define configuration and policy requirements. For most customers, a full vulnerability assessment, which identifies heterogeneous threats and risks across the entire network, is needed. However, in some cases, a customer may need only a subset of such policy, thus reducing time and cost. Some examples of popular assessment policies outside of the full vulnerability include PCI, Web application, worm/trojan, desktop application, content search, exploitable only vulnerabilities, and Microsoft missing patch/configuration. Configuration options are numerous and are modified for each customer. Examples include TCP/UDP ports, fingerprinting options, targets to be included/excluded, intrusive/non-intrusive, hours of assessment to be performed, bandwidth, speed, spidering depth, and many more.
Reporting/Deliverables
SAINT has years of experience delivering exactly what customers need. Most engagements include an overview of the assessment, technical detail, and executive reporting. Assessments gather multitudes of details about the vulnerable infrastructure. Most of the time, all of this data is not relayed back to the customer as it may not be relevant to the customer project. For example, a compliance person may only want to see summaries and which targets failed and passed. Technical engineers often like to receive industry cross references such as CVE, CVSS Score, OSVDB, BID, IAVA, Vendor ID, and exploit available, to eliminate research time.

SAINT reports are available in many formats. The most popular are PDF, HTML, CSV and XML, although other format options can be defined to meet your needs.

Service Delivery Options

  • Manual Assessment – SAINT is contracted to perform an assessment as a service. The SAINT engineer performs all cycles of the testing as agreed by a defined scope of work.
  • Manual Assessment + SAINT® – In addition to providing the assessment service defined in the scope of work, SAINT technology is provided so the customer can perform their own assessments any time between scheduled manual service engagements. The technology can be offered as a software download or as a pre-configured appliance for assessing both internal and external assessments.
  • Manual Assessment + WebSAINT Pro® – This is a popular option where SAINT fulfills the manual assessment as defined in the scope of work. In addition, the customer receives an online cloud account with WebSAINT Pro to perform their own unlimited assessments on external public facing addresses. These WebSAINT Pro assessments run from the SAINT headquarter's data center and meet many 3rd party industry regulatory requirements.