Administrators get a hacker's-eye view

The best way to find out if your house is secure is to hand over some cash to a thief and let him or her try to break in.

The best way to find out if your house is secure is to hand over some cash to a thief and let him or her try to break in.

Of course, you have to trust the thief. But that's what many security administrators are letting services companies do to better assess weak points in an enterprise and try to patch potential software holes before real hackers break in.

Qualys Inc. this week launched its flagship service, QualysGuard, which aims to do just that. For a fee, users can let the Sunnyvale, Calif. company periodically try to hack in and then receive the gory details in reports.

While it's not a panacea - there are limitations to what audits can do - QualysGuard represents a type of security service growing in popularity.

Instead of security professionals coming in and assessing a network, they view it from the outside, just as a hacker might see it.

Real-world scenario
This creates a couple of advantages over an internal audit. First, QualysGuard doesn't get inside like load balancers, which can open security holes. Second, Qualys gives an enterprise a hacker's-eye view of its network and the applications running on it, assuming that Qualys maintains up-to-date libraries of types of attacks and possible software holes.

So far, some users said, Qualys has kept up with the latest security vulnerabilities. Qualys' library numbers more than 600 known vulnerabilities.

"What I like about their system is that it's comprehensive and that their long-term direction addresses application-layer security, which is just as important as physical network security," said Peter Danzig, security administrator at Akamai Inc., in Cambridge, Mass.

Qualys automates much of the audit process with software algorithms. Officials claim the software can scan an entire network in a few minutes using about one-third of an enterprise's bandwidth. Users have access to the results via a Web page, where they can also schedule further audits.

In fact, Qualys has received high marks for the simplicity of the Web site, which shows where infrastructure is vulnerable and how vulnerable it is.

The site comprises QualysMap, which gives users a graphical view of their network as its appears to the outside world, and QualysScan, which details the algorithms that constantly determine if that infrastructure is vulnerable to new or old threats.

But that's where Qualys - and this type of clever security assessment - stops. While the company is devoted to scanning networks and identifying vulnerabilities from the outside, CEO Gilles Samoun said the fixes to problems are often too transient or complex to implement automatically. So, Qualys will partner to help enterprises with patching security holes.

"There's just too much to fight off right now," Samoun said. "Better to do one thing really well."

Subscriptions to QualysGuard range from $2,000 to $40,000 per year, depending on the size and scope of the network.