In recent decades, enterprises and public institutions have been automating their operations by employing internet and/or network-enabled computer systems. As a result of the introduction of the World Wide Web in the mid-1990's, the majority of enterprises and public institutions host web sites for both internal and external use. Enterprises and public institutions have been facing the challenge of rendering their web sites and e-commerce sites more interactive and user friendly. These web sites need to be protected against a vast growing number of sophisticated attacks and malware injections in which “hackers” seek to “take over the machine.”
Conventional IT security practice has shown that most organizations struggle in regularly testing and auditing systems for emerging IT security vulnerabilities. Such systems may provide only a list of problems that have been identified, and leave the organization with the task of sifting through a large amount of data in order to identify real issues.
Many organization employ conventional security vulnerability scanners to combat hacking and malware attacks. Unfortunately, conventional vulnerability scanners suffer from several imperfections. The potential vulnerabilities reported by conventional vulnerability scanners include a large number of false positive and conclusions rendered may be either incomprehensive, inaccurate, or both. Traditionally, to solve this problem, one or more human security experts have been employed to review and verify unverified vulnerabilities. However, the reviewing process may be laborious and may include abundant duplication of efforts. Further, disagreements among security experts frequently result based on individual skill sets, including knowledge of hacking techniques and other vulnerabilities. It also becomes necessary to periodically rehire consultants to re-test as networks and applications change. All of these factors increase total cost of ownership (TCO) of computer systems and web sites.
Accordingly, what would be desirable, but has not yet been provided, is an automated testing system and method that employs an expert system to automating the life cycle of network auditing and vulnerability risk management for enterprise software systems.