Because many of the products we tested reported thousands of vulnerabilities, we needed a common taxonomy to compare results. We chose CVE numbers (see cve. mitre.org) because they were the lowest common denominator between products, and for the most part, the effort is comprehensive. Unfortunately, using CVE addressed only part of the problem; the real challenge lay in parsing the reports (see our list of CVE numbers tested and how the products fared at www.nwc.com/1412/1412rd5.html).
Although Foundstone Enterprise and QualysGuard have well-designed reporting utilities, others, including Tenable Lightning (Nessus), Beyond Security's Automated Scanning Server and bv-Controls for Internet Security, have reports that are difficult to read and even more difficult to manipulate and re-sort. Complicating matters, we found that report content was often dissimilar. For example, nCircle's reports were so detailed we could review the entire attack decode to see how the vulnerability worked, while Vigilante's reports didn't even include remediation information; we had to follow a link to its Web site for further details.
Although all the products display a common vulnerability ID number (such as CVE or CERT) somewhere, they don't always list the place upfront. In fact, we noted several occasions where the vendor rolled several vulnerabilities into one heading and failed to list all the CVE numbers it represented. We wound up with a best attempt at digesting and comparing thousands of pages of reports. We ran all the scanners an exhausting number of times and spent weeks rebooting and resetting our systems and test bed. However, it is possible that a scanner may have flown under our radar as it knocked a service offline, inaccurately detected something it claimed to detect, or functioned irregularly in our environment. None of these factors would have radically change our results--and they are situations most organizations will face--but there is a margin of error. After all, even we need four hours of sleep once in a while.
Our vulnerability-assessment chart
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
