Vulnerability and Compliance Management as Software as a Service (SaaS) are springing up like mushrooms. The SaaS model enabled companies which focused on vulnerability management to extend their reach, and offer the services to more and more potential clients.
Most companies in this market name their SaaS service the "on-demand solutions for security risk and compliance management".
Here is the list of potential vendors that you should look at, in no particular order:
The services are usually delivered as a dedicated Black Box appliances that are placed within your infrastructure. They perform the scanning or IPS/IDS, but the results are then sent to the 'cloud' where reports are generated. Most companies are offering the usual set of services:
- Vulnerability Scanning - the basic offer of vulnerability scanning, with more or less success but definitely comparable to your local vulnerability scanner.
- PCI DSS Scanning - Payment Card Industry Data Security Standard (PCI DSS) was the important 'differentiators' of the SaaS vulnerability scanning. PCI DSS requires for a scan that is certified by the PCI group and performed by a certified company. So the SaaS Vulnerability Management companies got certified and created the PCI DSS scans. But for all everyday intents and purposes, your local vulnerability scanners have the same PCI DSS scans - all you need is to commission the scan 4 times a year for the PCI DSS audit
- Managed Intrusion Detection/Prevention - much like the vulnerability scanning, this is more or less what your local IPS/IDS does, only the results go out and get analyzed and compared in the cloud.
- Reporting and Fix Tracking - this element may be one of the differentiators, but local vulnerability scanners are catching up. In a SaaS solution, all results are kept as reports, and you can easily create comparative baseline reports, or even assign tasks to persons for fixing some vulnerabilities. The system will automatically send reminder e-mails to those persons and re-scan after the configured deadline for fixing.
Vulnerability Management - Local or Managed?
In conclusion, both the local and the managed solutions are living quite well at the moment. And function wise they are comparable. So which one to go for?
- The local solution can easily be reconfigured and directed at different targets. It us very flexible and because it is usually installed on a laptop, very portable. It is an excellent choice for anyone that needs to perform scans from different positions in the corporate network. This would include IT security teams, penetration testers, external auditors and consultants .
- The managed (SaaS) solution is stationary, fixed and quite cumbersome to move around. It usually lives in the data center as a black box probe, or in the manager service provider as an external scan. It can be configured with the required targets, scheduled to run at regular intervals and perform regular controls. It is a good choice for internal auditors, security officers and compliance officers - no need for maintenance, it is all handled by the managed service provider.
- Calculate the optimal price/performance - the SaaS versions are usually as yearly subscription charged per number of IP addresses to scan. This price may be quite significant, and you are fixed to the block of IP addresses. On the other hand, the local scanners require a hardware to run on, and you still pay a subscription for the updates of vulnerabilities. So you need to calculate your optimal cost based on your requirements and expectations.
Talkback and comments are most welcome
Nessus vs Retina - Vulnerability Scanning Tools Evaluation
NeXpose Community Edition - Our First Look
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis