Free vulnerability testing for SANS top 20

In its quest to plug the top 20 Internet security holes, the SANS Institute of Bethesda, Md., has enlisted two California vendors to offer free network audits to government agencies.

Foundstone Inc. of Mission Viejo gives a 21-day free trial of its single-license Foundstone Managed Service. The service normally costs $2,500 per year for five live IP addresses; more addresses cost extra. Small organizations can try out Foundstone Professional free, also for 21 days.

Qualys Inc. of Redwood Shores posts a form to try out its QualysGuard on-demand auditing service. There is no software to install; the unlimited audit service normally costs $3,495 for five IP addresses.

SANS research director Alan Paller introduced representatives of both companies this week at a Washington briefing about the institute's top 20 vulnerabilities.

Alan Deane, vice president of Foundstone, said the company has been working with Lisa Schlosser, the Transportation Department's associate CIO for IT security, 'to use the top 20 as a baseline for a security posture.'

The SANS list does not yet include user practices or router vulnerabilities, Paller said. Some of those are covered in filings required by the Federal Information Security Management Act, he said, and others are on self-assessment checklists for commercial software, being compiled by the National Institute of Standards and Technology.

Paller said getting agency systems certified and accredited is the most critical step in winning Office of Management and Budget approval of FISMA filings. 'For the first time it engages the system owner'not just a security officer'to sign off on risk. You cannot get a passing grade unless you are at Level 4, which means 90 percent completion of system accreditations,' Paller said.

Accreditation, however, is very costly. He estimated a large department with 600 systems would have to fork over more than $25 million for the job.

'The most useful way to get system owners to put up the money,' he said, 'is to form a partnership between the CIO and the chief financial officer. Post the security metrics by division in the deputy secretary's office. Don't allow system owners to budget for fiscal 2005 if they haven't put the money up to get the certification and accreditation work done.'


  • 2020 Government Innovation Awards
    Government Innovation Awards -

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected