IT Central Station is now PeerSpot: Here's why

How inadvisable it is to use a single vulnerability analysis tool?

Ludwing Caviedes - PeerSpot reviewer
VP Innovation and Development at Coinsa SAS


I'm a VP of Innovation and Development at a small tech. services company. 

Is it possible that a single vulnerability analysis software does not detect the entire spectrum of threats?

PeerSpot user
88 Answers

Jairo Willian Pereira - PeerSpot reviewer
Top 5LeaderboardReal User

Yes, and this answer is valid for any 'vulnerability analysis software' and company, independently of port/size/tool. 

You can use all tools of the world and 'does not detect the entire spectrum of threats. 

Threats are dynamic and assets (both software and hardware) change every day. More important than a tool (#1 out of #999 at a scoreboard) is your continuous process. 

Vladimir Jirasek - PeerSpot reviewer

Short answer: No. Long one: start with vulnerability assessment for your key systems. These are: a) anything accessible to the Internet, b) your end-user devices (PC, laptops, mobile). To cover these two (and more), I can recommend Qualys which we have been using, designing and managing for 20 years now. Additionally, to really get your external perimeter clean (that includes DNS and email), I strongly recommend Hardenize. 

Happy to discuss in more detail as needed. 

George Fyffe - PeerSpot reviewer

You wont find a single tool that will report on all the vulnerabilities that can crop up in your infrastructure. Such a tool would need to cover too many areas (On-Prem or Cloud, Network, Database(s)....). A better approach is to start by assessing what you absolutely must protect to protect your business. Work out what is critical and how it can be compromised. Then select tools to help you mitigate the risks. I would also recommend using tools that give you a Risk Assessment in an easily understood format. Some tools give pages and pages of data and leave you to figure out what it all means. If your are Public Cloud based, I would suggest you use a specialist tool such as SecureCloudDB to keep track of assets as they can spin up and down very quickly in the Cloud... so they can be part of your infrastructure without your knowledge. Equally, if you're not careful, they can come and go before you have had a chance to spot them.

Ram Balaji - PeerSpot reviewer
Real User

No. I think products work on vulnerability analysis have 2 streams, web application and endpoints/appliances. They don't concentrate on both at the same level. For application you can look into fortify and for endpoints/appliances you can try qualys, tenable and rapid7.

Milton Rodriguez - PeerSpot reviewer

It depends on the capabilities and reliability of the vulnerability analysis tool. In case of the tool has a high reliability and a low percentage of false positives and false negatives, it may be appropriate to have a single tool.

KimeangSuon - PeerSpot reviewer
Top 5Real User

If such as vulnerability analysis on software or application as static code analysis or purpose of SDLC review, I think currently Checkmarx , Micro Focus or Veracode should consider to this. if this is your requirement.

Stuart Berman - PeerSpot reviewer
Top 10Real User

What kind of 'vulnerability analysis' tool are you referring to? Static code analysis for code? If so there are a couple tools that cover most languages pretty well, Checkmark and Veracode. Or are you looking for vulnerability management tools like Qualys, Tenable or Rapid7?

Buyer's Guide
Vulnerability Management
July 2022
Find out what your peers are saying about Tenable Network Security, Qualys, Morphisec and others in Vulnerability Management. Updated: July 2022.
622,358 professionals have used our research since 2012.