FAQ

• Q : What are the tests performed by the VulnIT solution?

  A : The VulnIT solution addresses vulnerabilities of patch management, configuration, authentication or development, on a variety of OS (Windows/Unix), applications and databases (SQL Server, Oracle...). It can also check wifi security.

• Q : Is it possible to perform internal and external checks?

  A : Yes. The VulnIT-KEY solution can be used from the inside of your organization as well as from the outside, using a simple Internet connection.

• Q : Is it possible to differenciate black-box and white-box assessments?

  A : Yes. The security tests can be performed without providing any information on the target (black-box approach), or by specifying an account (SSH or Windows domain) enabling to access to the target and discover many more vulnerabilities.

• Q : My computer can not boot on a USB key. How can I do?

  A : You can boot using a boot CD then pass on to the USB key. To do so, download this ISO image (540 KB), burn it and insert the CD in parallel to the USB key before powering on.

• Q : Is it possible to specify several targets?

  A : Yes. You can specify a target, a subnet (IP range), or let VulnIT discover your network assets and test all the targets to which you have access.

• Q : How long are the tests?

  A : Once the testing scope is validated, the testing phase takes around 2 to 3 minutes by target.

• Q : Can these tests affect the availability of my services?

  A : VulnIT has been designed with real caution to avoid this risk, by selecting only non aggressive tests and performing no more than 2 tests in parallel by target. However, we recommend you always start your assessment by selecting your targets in development or testing environment, before running them on production targets.

• Q : Can these tests lock accounts (brute force attacks)?

  A : No. Only 2 passwords are tested by login, in case the security policy is configured to lock after 3 unsuccessful login attempts.
  Nevertheless, an authentication test must not be performed twice on the same service without alerting its administrator.

• Q : How is the software updated?

  A : Updates are frequently released on our servers, bringing new security tests. The VulnIT solution automatically downloads and installs these updates using a simple Internet connection.

• Q : What is the price of this solution?

  A : The annual license offers unlimited testing (number of targets or number of tests performed). The Advanced version integrates corrective and evolutive updates during the license validity period. You can save 10% of its yearly renewal by sponsoring another company. Please contact us for more information.

• Q : What services do you provide?

  A : We provide trainings to help get the best efficiency from our solutions. Please contact us for more information.

• Q : Does VulnIT integrate trace logs?

  A : Yes. As an audit tool, trace logs are essential. You have access to these logs in real time during the execution, through the VulnIT. You can also export these logs on the USB key the same way you save an audit report.

• Q : The report shows no vulnerability. Am I safe?

  A : You can't be sure. An automated software remains limited in scope, expertise and adaptation capacity, especially when dealing with application vulnerabilities (websites for instance). Thus, it should be completed by an expert analysis (penetration test).

• Q : Is it possible to enter further parameters?

  A : Yes. You can add additional accounts for authentication tests, names of database instance or SNMP comunity, etc. These wordlists customizations remain optional.

• Q : What happens if I lose my USB key?

  A : From a security perspective, the USB key does not contain any data, as the test results and logs are flushed after each usage, and the reports are stored encrypted. Besides, a personal user password is required at boot time.