Is vulnerability scanning useful? Ask these four essential questions, and you'll find out

Nixu Blog

August 31, 2020 at 09:35

Vulnerability scanning may have an old-school, boring clang to it. It sounds like something you do on a network full of legacy systems. But nowadays, you can run a vulnerability scan on your cloud platform configuration, containers, or even cars. Sometimes vulnerability scanning is the best thing you can do, and sometimes it's the worst. Matti Suominen and Quinten Perquin revealed four questions that you should ask yourself to see whether vulnerability scanning is something you should do. 

Question 1: What do you want to achieve with vulnerability scanning?

The most important question that might also save you a considerable amount of money is, what do you want to achieve with vulnerability scanning? According to Quinten, vulnerability scanning can be a viable option if you're looking to get a regular status update on your workstations' and servers' security level. But if you're looking for in-depth security analysis on the weaknesses of a particular system, you might get better off with a penetration test or threat modeling.

Vulnerability scanning is a way to find out, do you have to do something to improve security.

Question 2: What do you want to scan? A laptop or an airplane?

There are decades of industry experience in scanning regular operating systems, like Windows or Linux, for vulnerabilities. Missing patches, open ports – simple enough to check and fix. But what if you're manufacturing, say, cars or airplanes, and need to run a vulnerability scan on them? In the end, there's probably an embedded Linux system inside. Still, to ensure you'll find out about potential vulnerabilities as early as possible, choosing what and when to scan is crucial. If you're developing your own products, static code analysis or software composition analysis can be more useful. You can read more about different scanner types from our previous blog.

Question 3: How are you going to follow up on the findings?

Vulnerability scanning is a way to find out, do you have to do something to improve security. The scanner won't fix any issues for you. Quinten sighs that in some cases, the monthly scanning report looks the same month after month: nobody has followed up on the findings and taken care of the vulnerabilities get fixed. Matti has similar experiences:

Back in the days, the biggest problem wasn't getting the scans done technically but actually getting anybody to do anything about it.

To make sure you're getting value out of the scans, you should find a way of connecting the findings into team backlogs, so fixing the issues will be on someone's to-do list. With multiple scanning tools, targets, and teams, emailing PDF reports is a nightmare, and even direct issue tracking system integrations can get messy, so Application Security Orchestration and Correlation tools may streamline your processes considerably.

Question 4: Do you have enough technical know-how to understand the reports?

Even if you got the vulnerability scanning reports on the right person's desk, fixing the issues might not be straightforward. Unfortunately, some scanning tools produce a mix of acronyms, scores, and some infosec mumbo jumbo that sounds scary but is almost incomprehensible. Finding the root cause and developing a proper solution might be difficult. In addition, one fix might solve ten issues, but sometimes you need to rewrite code in ten places to fix one problem.

Besides, sometimes automatically assigned severity scores are guesswork since the scanner does not understand your environment. The same vulnerability might be 'Critical' in a publicly accessible application, 'Low' in an internal test environment, and 'Won't fix' in a time-critical system. If you don't get the priority right, you might be spending all your time putting out fires.

Vulnerability management is about reducing risk, but sometimes you need to accept the risk when patching vulnerabilities is not feasible. You can read more about calculating the risks and deciding whether to patch our not, from our blog, CISO says: patch or accept? 

Did you miss the webinar? Watch the recording!

Quinten and Matti also discussed scanning installation images and cloud environments. If you missed the webinar, watch the recording from the video below

We also got an excellent question from the audience: what kind of vulnerability scanning is useful if you don't have any legacy at all? This topic is worth a webinar or blog of its own, so Quinten and Matti will answer this one soon – stay tuned!  


Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.

Related blogs