Issue TOC Print full article Print this page E-Mail this URL Discuss this article Flame the author     In this article Introduction Wants & Needs Foundstone Enterprise and FoundScan Engine 2.6 Qualys QualysGuard Intranet Scanner Harris Corp. STAT Scanner Professional Edition 5 eEye Digital Security Retina Network Security Scanner Vigilante.com SecureScan NX 2.6.50 SAINT 4.3 nCircle Network Security IP360 Vulnerability Management System 5.3 Other Products Reviewed How We Tested Web Links Report Card

SAINT proved a formidable opponent but unfortunately, like every other scanner, it sails in some areas, sinks in others. SAINT's vulnerability coverage was above average, and its price is right, but we felt the product could be improved on the management and reporting fronts.

Although SAINT takes a bit more know-how than do the products from Foundstone, Qualys and nCircle, it runs over a standard Linux distribution and has the easiest install script we've seen over a Linux command shell. We highly recommend the Express plug-in (www.saintcorporation.com/products/saint_express.html); without it, performing updates is a tedious process. We hope SAINT will build Express into the standard product in the future.

The most annoying problem was with adding IP addresses. You'd think this should be a simple task, but not so: To enter address ranges from multiple subnets, you must pull from a text file. If any address fails, the entire scan fails, but not necessarily right away. On several occasions we had to wait for half an hour before SAINT bombed on one address that we'd entered incorrectly. SAINT would benefit from a more intuitive interface for programming multiple addresses and address blocks.

Although SAINT doesn't offer much in the way of exportable reports, it does provide some well-designed prebuilt reports and lets you create your own. SAINT's reports make extensive use of hyperlinks--letting us jump from an address to an explanation of that entire system and so on; unfortunately, we soon found ourselves lost in the jumps. We believe that a dynamic reporting interface would prove much more efficient than simple hyperlinks. SAINT is a good solution for small-to-midsize organizations, but it doesn't have the aggregation capabilities needed for larger enterprises.