Vulnerability scanners scan systems against a known list of vulnerability signatures. SecurityExpressions audits systems against a system security policy, such as a home grown policy or one published by Microsoft, SANS, NSA, NIST and other industry organizations. Vulnerability scanners serve a different purpose than an audit and compliance solution. Vulnerability scanners find certain specific security problems in your configuration, whereas an audit and compliance solution audits your systems against a complete detailed system security policy. Some items not covered in a typical vulnerability scanner that could be in a system security policy file include:
- Operating system configuration settings such as users and groups, user rights, user account policies, registry settings and key permissions
- Application configuration settings
- Unauthorized hardware/software
- Advanced settings such as queries, user account activity, login accounts and system utilization