Commercial vulnerability management tools are frequently being updated because of industry mergers and the emergence of new partnerships. Vendors continually exhort the benefits of their tools as the best option for a stand-alone vulnerability assessment or penetration testing options. Naturally, the vendor's claim that the money saved by virtue of not having to involve costly staff members in a process which can be largely automated, easily offsets the expense of the initial purchase.

It's also safe to say that free and open source vulnerability management tools are unlikely to provide you with a complete management solution but it might be possible to use some tools to support your existing program and save money in the process.

But before making a decision to travel down this road it's important to look at the capabilities of the various management tools on the market and assess their efficacy against your own organisations particular requirements.

Let's take a look at some of the elements of a vulnerability management tool that you can use as the basis for evaluating open source tools.

• One tool you might want to consider is Information Resource Manager (IRM). This tool can only be used for asset management and workflow because it is a powerful system built for IT departments and help desks. It is a seamless web application using a MySQL engine in the back-office to carry the heavy workload.

• Nmap is a great host discovery tool which can be a great addition to security auditing processes. It will work on a single host but was also designed to understand larger networks using raw Internet Protocol packets in a unique way. It determines which hosts are available on the network and analyses the services including applications names and versions they are running. A graphical version of the software is also available.

• Nessus is a vulnerability scanning tool which is really quite powerful and kept up to date by the originators of the Nessus Project. There are a staggering 11,500 plug-ins available and although it is now closed source, it's still free unless you opt for using some of the more recent plug-ins.

• MBSA is the Microsoft Baseline Security Analyser designed for IT professionals. It is a very easy-to-use tool which IT staff can use to determine security states in accordance with Microsoft's recommendations. You can get more information from the Microsoft site.

• Advchk is an advisory check tool which uses RSS feeds to identify security issues and to compare them to a list of known services. The tool then alerts you about any possible vulnerabilities. RSS feeds make it easier to continually monitor lists of trusted services mainly because manual checks are time-consuming not to mention extremely boring.

• Finally, Ossim (Open Source Security Information Management), consolidates several elements of vulnerability management and provides a compilation of tools which can work together and give the administrator a detailed view of all devices on the network.

Whilst it is not possible to list a detailed up-to-date analysis of all open source tools on the market, the above list will give you a starting point to see whether or not they will be suitable for your penetration testing requirements.