There are several hallmarks of effective penetration testing tools. First, it should be remembered that vulnerability assessments are only a snapshot of the current situation and not demonstrative of a long-term procedure. This means that human experience needs to be overlaid on the process so that the correct interpretation of the results can be made. Naturally, this can be costly especially if it is done thoroughly and professionally. But the costs easily outweigh the expense.

Every vulnerability management tool should be examined carefully before making a decision. In a perfect world you might want to imagine what a vulnerability management tool might be able to offer. In the first place it would be completely capable of asset management, assessment of vulnerability, manage patches and remediation, be a complete configuration management tool and finally monitor and report effectively to management. In the real world over this may not always be possible but there are at least 3 elements of a vulnerability management tool that should be present.

• First, asset management should be recognised as the basis of any vulnerability management program. It is imperative that an asset inventory is complete and up-to-date or else the whole program runs the risk of being only marginally effective. Naturally, it takes time and a coordinated effort from every element of the organisation to ensure that the asset list is complete and that every department has a commitment to ensuring this is so.
• Compatibility and communication. It almost goes without saying that any vulnerability management tool, or any associated tool for that matter, should interface with one another with relative ease. For instance, a vulnerability assessment scanner needs to access the database to assess which devices are present and which parts of the inventory need to be monitored. This ensures that only the correct assets are identified for assessment but, as an added bonus, the vulnerability assessment tool could also be used to assist in developing system baselines within the network. These baselines can be used to identify possible weaknesses.
• Thirdly, patching and configuration management should be seen as key to the entire process. It is one thing to identify which systems are patched but updating the asset database is quite another matter. The best vulnerability assessment tools are able to extract this data so that it is easy to make a more informed decision.

Most vendors of vulnerability assessment tools lay claim to their product is being the best in the market and capable of doing everything you need. These claims should be treated with a grain of salt and the tools should be carefully evaluated for compatibility and completeness. It is quite likely that no one product will be able to solve all individual problems and you may even need to look at having a special product designed.

You need to ask some specific questions along the above lines to ensure that your penetration testing tools are up to standard and compatible with your specific needs.