Core expands into network vulnerability testing

With the latest release of its flagship Core Impact Pro, Core Security Technologies has expanded its application penetration testing software to scan and test network devices as well.

Core Impact Pro version 11, released this week, also includes improved tools for scanning Web applications as well.

While network administrators have had no shortage of available network vulnerability scanners, Core is hoping that its capabilities in application penetration testing will provide additional insight into possible vulnerabilities on a network or in systems.

Earlier versions of Impact were able to detect network devices but offered no capabilities for exploiting vulnerabilities, said Fred Pinkett, Core Security vice president of product management. This version offers the tools and exploits to break into a device. The software will allow the administrator, using publicly available exploit code, to verify that a malicious attacker could access the device, rename it, crack its list of passwords and monitor its activities.

The software’s Network Information Gathering set of capabilities can scan a range of IP addresses and return a list of devices on the network, such as routers and switches. It can provide as many details as possible about each device, such as manufacturer, device, OS, and possible points of vulnerability.

Devices may contain access control lists and other information that can be useful to attackers trying to understand the topology of an enterprise’s network. Devices are also a good point to intercept and reroute traffic.

“Network security devices can be areas of vulnerability exposure if not properly configured, managed and patched,” said Diana Kelley principal analyst at analysis firm SecurityCurve, in a statement. “That’s why a robust penetration testing plan includes these assets. Organizations need to understand if network device vulnerabilities exist and if these vulnerabilities can lead to data theft or other forms of compromise.”

Testing for Web application vulnerabilities has been another focus area in this upgrade. Version 11 of the software also has been configured to work with a number of Web application vulnerability scanners, such as BM Rational AppScan and HP WebInspect. Once such scanners pinpoint probable vulnerable Web applications, an administrator could use Core Impact to test the applications against common exploits to see how they can be breached.

The software includes a number of new exploits that could be used against Web applications, including those for Persistent XSS (cross-site scripting) vulnerabilities and possible XSS vulnerabilities in Adobe Flash Objects.

Organizations and developers carry out penetration testing (also called PEN testing) as a way to check to see if their systems and programs can be accessed and manipulated by their vulnerabilities, Earlier this year, Core integrated the nearly exhaustive Metasploit framework of exploits into Core Impact.

“We continually look at new ways an attacker can get into an organization and start to put functionality in our product to test for those new attack vectors,” said Mark Hatton, president and CEO of Core Security.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab’s e-mail address is Joab_Jackson@idg.com