Everything you need to know about vulnerability scanning

Anne Oikarinen

Anne Oikarinen

Senior Security Consultant and Content Creator

June 4, 2020 at 08:48

Vulnerability scanning helps you to detect information security flaws before something happens, monitor that service providers are fixing security vulnerabilities within the agreed SLA, keep track of your security and compliance status, and even avoid business risk. How does that work? Besides, there are different types of scanners and scanning services out there, so what are the differences? We have composed an overview of everything you need to know about vulnerability scanning. 

Find vulnerabilities before cybercriminals exploit them

Vulnerabilities are weaknesses in your system configuration or flaws in application code that can be exploited. Exploiting security vulnerabilities can result in information leaks, unauthorized modification or loss of data, denial of service causing outages, or even business disruption if the attack renders the systems unusable. Depending on your business, the motivation for a cyber attack varies – but the number one reason is usually money. It's surprisingly easy to scan for unprotected targets from anywhere in the world with services like Shodan. If your systems have vulnerabilities, you can be the next target.

So why don't you start scanning vulnerabilities regularly to find and fix your security weaknesses before someone exploits them?

Vulnerability scanning helps you to detect information security flaws before something happens, monitor that service providers are fixing security vulnerabilities within the agreed SLA, keep track of your security and compliance status, and even avoid business risk.

 

Know your security trends with continuous scanning

New vulnerabilities are found each day, so what was secure yesterday can be a critical risk today. Deploying new versions or even slightly modifying the configuration might also introduce vulnerabilities. You get the best out of vulnerability scanning if you do it regularly. This way, you can monitor the security trends of your products and services.

New vulnerabilities are found each day, so what was secure yesterday can be a critical risk today.

If the number of vulnerabilities suddenly fluctuates, maybe there's room for improvement in the IT service management or development processes. You can also monitor that vulnerabilities are getting fixed within the agreed SLA. If you need to ensure continuous compliance, e.g., with PCI-DSS, continuous vulnerability scanning will help you.

There are reports, and then there are reports that make you understand the risks

The hard part of vulnerability scanning tools is that they sometimes produce false positives. When a security expert reviews the tool reports, they can identify false alarms based on the detailed results or by manual testing. Assessed findings can save you a lot of troubleshooting – and also prevent gray hair.

Another tricky thing is the severity of the findings. A particular type of vulnerability may receive an automatic high or low score from the tool. Still, a security specialist that understands the application or system in question and the existence of other mitigations should re-evaluate the severity so you can understand what's the actual risk for your critical systems. The presence of multiple low-level findings of a specific type can also indicate that something more problematic lies under the hood. A person with in-depth security knowledge can spot the matter so it can be investigated thoroughly by a penetration tester. A human can also attempt to exploit the vulnerabilities and find logic flaws, which is something that a tool cannot do.

All these different scanners – which one to select?

It's easy to get overwhelmed with all sorts of scanners in the cybersecurity market. The features of all these tools also often overlap. There are a few subcategories of vulnerability scanning tools:

  • Platform and network scanning identifies all hosts in a network range, scans their open ports, detects the service versions and operating system, compares the software versions to a database of known vulnerabilities, and checks configuration flaws. You can scan both from outside and inside: the tool can use credentials assigned to it to log in to the hosts and apps to perform more thorough checks.
  • Cloud service configuration scanning uses cloud service management APIs to check the cloud service settings and compares them to a selected reference, such as the Center of Internet Security benchmarks. You can also scan application containers this way.
  • Application vulnerability scanning attempts to misuse the application features through its interfaces. Most traditional vulnerability scanners that perform platform scanning contain application vulnerability scanning features. Some tools specialize in this purpose, and they are often referred to as dynamic application scanners (DAST). Another type of solution is an interactive application scanning tool (IAST) that instruments the application's run-time behavior to spot anomalies.

There are other types of scanners, too.

Static code analysis tools (SAST) scan the code you have written for coding errors and missing security controls.

Software Composition Analysis (SCA) tools scan known vulnerabilities from the open-source components you use from your repositories. These tools can identify vulnerable libraries when you're only coding or building something. In contrast, vulnerability scanners investigate an environment where something has been deployed already, for example, in development or production.

A slight overlap in the tools is not a bad thing at all. No scanner is perfect, so making security checks in multiple phases of the development lifecycle ensures that you'll find the problems as early as possible. It also depends on your development speed and the lifecycle phase of the system, which tools make more sense. However, more scanners mean more reports, and that's why you might be interested in getting them sorted out with Application Security Orchestration and Correlation tools.

Benefits of regular vulnerability scanning

Regular vulnerability scans will make it much easier to ensure security and privacy in the services you use and in the products you build and purchase:

  1. Detect vulnerabilities and fix the issues before something happens.
  2. Monitor that vulnerabilities are fixed within the agreed SLA.
  3. Get the vulnerability information straight into your issue tracking system.
  4. Detect unmanaged configuration changes or services that were exposed accidentally.
  5. Monitor your security and compliance status and trends.
  6. Avoid business risks.

 

Interested to hear more? Check our webinar recording about vulnerability scanning. 

Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.

Related blogs