| 7 min read
A few days ago, we talked about "vulnerability assessment" and "vulnerability management" in this blog. This time we will focus on "vulnerability scanner" and "vulnerability scanning." With the intention of linking all these terms, we can say in advance that a vulnerability scanner is a tool with which vulnerability scanning is carried out. This scanning is a form of vulnerability assessment, which is one of the necessary operations within a vulnerability management program. Let's take a look at the definitions, common classifications and pros and cons of vulnerability scanners and vulnerability scanning.
What is a vulnerability scanner?
Let's consider each of the words that make up this term and look at their general meanings to enlighten us before we get into the cybersecurity field. According to the Oxford dictionary, "vulnerability" is "the fact of being weak and easily hurt physically or emotionally." On the other hand, a "scanner" is a device for examining and taking records of something. We may even find this word's definition within the healthcare topic of the same dictionary helpful: "a machine used by doctors to produce a picture of the inside of a person's body on a computer screen."
Now, in the cybersecurity context, a vulnerability can be seen as a weakness within an IT system. A vulnerability usually results from design or configuration problems and, if exploited by attackers, can allow them unauthorized and privileged access to the system and compromise its operations or assets. A vulnerability scanner is then a device or computer program or testing tool that automatically identifies and reports such weaknesses present in systems (e.g., web and mobile apps, networks, infrastructures, and IoT devices).
What is vulnerability scanning?
Vulnerability scanning is precisely the procedure mentioned in the previous paragraph. This is just another form of vulnerability assessment that, thanks to automation, allows companies to quickly discover many of their weak points. Typically, vulnerability scans focus on identifying, describing and reporting previously known vulnerabilities that are registered in the scanners' databases. These machines usually review the components and configurations of their predefined targets of evaluation and compare or match them with the information they have in their databases to identify security issues.
Vulnerabilities detected by a scanner can be, for instance, outdated software versions, misconfigurations and non-compliance with security requirements. Sometimes these automated tools also work based on specific predefined attack patterns that they send to the target to compare its response outputs with those that are supposed to occur in the presence of known vulnerabilities.
How are vulnerability scanners and scanning classified?
The classifications usually found for these terms tend to be not very clear or convincing. Not seeing rigorous categories, we decided to present types of scanners according to targets they evaluate and types of scanning according to modes of operation:
Types of vulnerability scanners
-
Network vulnerability scanners or network security scanners: These tools scan for vulnerabilities in an organization's entire network (i.e., network vulnerability scanning). They initially identify open ports, services running on those ports and the operating system on the network devices. Following their databases of known vulnerabilities, these scanners detect security issues in devices such as routers, switches, firewalls and servers. Beyond these network-based vulnerability scanners, we can mention host-based vulnerability scanners that focus specifically on individual network hosts, such as servers or workstations, to identify vulnerabilities in their operating systems, applications and services.
-
Website scanners or web application vulnerability scanners: These tools scan websites and web apps to detect security issues, specifically in their code and configurations. These web vulnerability scanners can use both the databases of known vulnerabilities and the common attack patterns mentioned above to identify problems or risks such as those we can see in the OWASP Top 10 (e.g., Broken access control, Cryptographic failures, and Injection). We can include here scanners such as static application security testing (SAST) and dynamic application security testing (DAST) tools.
-
Open-source components vulnerability scanners: These tools focus on identifying and analyzing all third-party open-source software components and their dependencies for vulnerabilities (i.e., software composition analysis, SCA). The use of outdated components with known vulnerabilities is also listed in the OWASP Top 10 and, as we saw in the State of Attacks, 2022, was the security issue that contributed most to the risk exposure of the companies we evaluated from Fluid Attacks in one year.
Types of vulnerability scanning
-
Comprehensive and targeted vulnerability scanning: Related to what we noted about network-based and host-based scanners, vulnerability scans can vary in terms of thoroughness. Comprehensive vulnerability scanning focuses on evaluating all the systems that constitute a network. It can detect more vulnerabilities than targeted vulnerability scanning, which concentrates on specific systems, but requires more analysis time.
-
External and internal vulnerability scanning: External vulnerability scanning is performed from outside the perimeter of an organization's network. These assessments serve to detect vulnerabilities that attackers could exploit from outside the network to be able to move "vertically" or inside it. The tools deal there with security devices that block traffic. These security scans identify open ports and services and vulnerabilities in internet-facing devices such as web and mail servers and firewalls. External scanning is essential for the now so commonly used infrastructure in the cloud, where scanners must analyze all assets hosted there by an organization.
Internal vulnerability scanning is carried out from inside the perimeter of an organization's network. These assessments are used to detect vulnerabilities that could be exploited by attackers who have gained access to the network to move "laterally" to various systems within it. These scans identify vulnerabilities in internal servers, workstations and other devices that are not visible from the internet. Standards such as the PCI DSS usually require companies to conduct internal and external scans regularly and when the network is modified by upgrades or installation of components, for example.
-
Unauthenticated and authenticated vulnerability scanning: We can also refer to them as non-credentialed and credentialed vulnerability scanning. Unauthenticated vulnerability scanning does not require the use of login credentials. These scans are limited to identifying vulnerabilities that are visible from the outside. What is done in these scans is to detect open services and ports. Later, the scanner sends packets to them to extract available information such as software or operating system versions and, using its database, reports known vulnerabilities that may be present.
Authenticated vulnerability scanning requires the use of login credentials. These assessments are more accurate and comprehensive than the previous ones. They manage to collect more detailed or low-level data from the operating system and specific applications and services, as well as configuration details of the evaluated systems. Here the scanners detect vulnerabilities that are only visible after logging in to the system.
Pros and cons of vulnerability scanners and scanning
Today there are bunches of automated tools for vulnerability scanning, including commercial and free vulnerability scanners. It is customary for organizations interested in their cybersecurity to use several of them simultaneously to achieve "full coverage" with their different features. Although vulnerability scanners guarantee evaluation speed and allow people to save time and effort, their assessment scope is restricted. This scope depends on the databases that scanners use as a reference. These databases are composed of public lists such as the CVE (Common Vulnerabilities and Exposures) and the vendors' own lists (generated, maintained and updated by their research groups). Anything outside these lists is not detected by the scanners and therefore remains a false negative (i.e., the scanner reports the non-presence of a vulnerability where it actually does exist).
Moreover, it is true that vulnerability scanners can provide detailed information on their findings, such as location, severity or risk exposure, identification date, status, and even recommendations for remediation or mitigation of vulnerabilities. However, many of these reports refer to false positives (i.e., scanners report the presence of vulnerabilities where in fact there are none). Something that can also be problematic is relying on the assigned values of severity or risk, which usually depend on metrics such as the CVSS (Common Vulnerability Scoring System). This is because risk levels may also depend on the relationship established by particular vulnerabilities in specific attack patterns. Still, scanners evaluate them more in isolation (the machines focus on "surface vulnerabilities," those independent of others). Moreover, scanners generally are unable to identify those vulnerabilities that arise as a result of combinations.
Given the aforementioned difficulties, another type of vulnerability assessment is necessary: penetration testing. Full coverage is not achieved with automated tools alone, even if many are implemented. The identification of complex —sometimes of higher severity— and previously unknown vulnerabilities depends on human astuteness and expertise, on pentesters. They can correlate vulnerabilities and detect new ones that emerge in certain attack patterns. Pentesters simulate "real-world" attacks and even exploit vulnerabilities to assess impacts. Likewise, they interpret and validate scan results to both reduce false positive rates and deliver reports that, with more appropriate scores, actually allow prioritizing the risk exposure of the company under evaluation in order to move on to remediation actions. Ultimately, we could say that vulnerability scanning can be considered a first step before, or initial support for, penetration testing.
Vulnerability scanning with Fluid Attacks
At Fluid Attacks, we have an open-source vulnerability scanner that we have been developing and that we continuously update and improve with the help of our red team. This tool is capable of applying both SAST, DAST and SCA. In 2021, it achieved a perfect result in the OWASP Benchmark version 1.2 with SAST. (In fact, it appears in the OWASP Source Code Analysis Tools list.) In addition, in 2022, it was approved for cloud application security testing by the App Defense Alliance, which seeks to ensure that applications on Google Play do not contain security vulnerabilities.
In our Essential plan (which you can try right now for free for 21 days), you can integrate our scanner into your software development lifecycle to do continuous vulnerability scanning. (Continuity in security testing is even recommended by the Center for Internet Security, CIS.) In our Advanced plan, you have our vulnerability scanning along with manual penetration testing by our highly certified ethical hackers or pentesters.
For both plans of our Continuous Hacking service, we know that it is not of much interest to stay in detecting security issues that criminals can exploit in cyberattacks. This is why Machine and Advanced offer you our Vulnerability Management solution supported by our distinctive platform. In it, our customers receive detailed reports of their vulnerabilities, assign remediation procedures, request reattacks to verify their solutions, resolve doubts with our experts, keep track of their progress in cybersecurity, and much more.
Do not hesitate to contact us if you want to be part of our customers!
Recommended blog posts
You might be interested in the following related posts.
