SSH Communications Security has announced a free tool to scan and assess networks to provide a report on risk and compliance exposures in secure shell (SSH) environments.
Named the SSH Risk Assessor (SRA), the company claimed that it identifies an organisation's compliance status with relevant standards, assesses actions needed to achieve compliance and provides an understanding of the current state of the SSH environment.
According to the company, the free tool enables internal and external audit and security teams to collect SSH key information across the environment and provide an assessment of risk exposure. The tool highlights known vulnerabilities in the environment, basic statistics on SSH keys deployed and specific violations of current best practices.
Tatu Ylönen, CEO and founder of SSH Communications Security, told SC Magazine that the current state of SSH key management is so bad that it is currently welcoming comment on its draft document around best practice for this technology.
He said: “SRA provides an easy way for enterprises and government agencies to determine if there are risk and compliance issues with respect to who has access to what information in their SSH environment.”
He said that this will create a script to run on each server to analyse it and build a picture of the servers to let users know how many keys they have and help them build a remediation project.
“It is a free tool to show what your situation is without having to make any modifications to your systems,” he said. “It is free now to auditors and eventually we will make it free to everyone.”