E-Commerce Times Talkback
See Full Story
In the world of computer security break-ins, the focus has shifted from alleged hacker masterminds to enterprise shortfalls -- unpatched software, poorly secured firewalls and weak computer passwords. However, vulnerability assessment tools are educating IT admins about how to close holes in networks before a hacker even finds them, let alone plans an attack. With estimates claiming that up to 90 percent of breaches can be avoided, such tools might represent a CIO's best chance to assess the level of security in his or her enterprise and determine how to improve it.
Pretty good evaluation of the issue, albeit restricted to an IT-centric perspective.
Emphasizing to IT sec staff the importance of pitching others in their organizations on the opportunities/rewards of marketing a site's security status to shoppers has been a very successful sales strategy for us.
Tiernan Ray writes, "In these frugal times, however, sysadmins probably will have to prove that vulnerability assessment products can generate ROI, no matter how smart the purchase seems in principle."
Sysadmins wondering how to justify the cost of vulnearability scanning would do well to spend five minutes visiting http://www.scanalert.com/Merchants?tab=3 to see how more than 30 retail ecommerce sites have reported considerable ROI numbers on their vulnerability scanning investments via Scan Alert's HACKER SAFE certification.
(In the spirit of disclosure, I work for ScanAlert). One of the statements that we make about marrying vulnerability scanning to independent security certification is that without certification, security is an expense; with certification, security is an investment.
HACKER SAFE certified online retailers have collectively analyzed the shopping behavior of more than a million visitors to their respective sites and reported back to us an average sales boost of 15 percent. With that sort of empirical data, certification is clearly one way to justify to a bean counter the cost of vulnerability scanning.
In addition to the commercial vulnerability scanners mentioned in this article there is a free, open source product called Nessus ( http://www.nessus.org/ ).