Vulnerability Scans

Updated Jan 30, 2024 ·

Overview

Vulnerability scans identify security weaknesses in systems and networks, helping organizations prioritize and mitigate potential risks.

• Uncover weak points that attackers might exploit.
• Compare systems against known vulnerabilities.
• Help maintain security by routine checks.

Scanners

There are three primary categories of scanners used to assess security:

• Port Scanners

  • Identify open ports on a network or system.
  • Help detect services that might be vulnerable to attack.

• Vulnerability Scanners

  • Identify security flaws in systems and networks.
  • Compare systems against known vulnerabilities and misconfigurations.

• Application Scanners

  • Scan web applications for security weaknesses.
  • Detect vulnerabilities like SQL injection, cross-site scripting (XSS), and insecure configurations.

Types of scans

Vulnerability Scan

Identifies and prioritizes vulnerabilities in systems or networks by checking against known security flaws.

• Non-Intrusive Scanning

  • Gathers information without actively exploiting vulnerabilities.
  • Minimizes the risk of disruption to systems.
  • Safer for production environments.

• Intrusive Scanning

  • Actively tests for vulnerabilities by simulating an attack.
  • Can identify more issues but might disrupt services.
  • Best for testing in non-production environments.

Configuration Scan

Ensures systems are securely configured to meet security standards and prevent misconfigurations that could create vulnerabilities.

• Checks the settings and configurations of systems and applications.
• Identify misconfigurations that could lead to security issues.
• Ensure compliance with security policies and best practices.

Code Scan

Analyzes source code to detect security flaws before deployment.

• Detect coding errors and potential security weaknesses before deployment.
• Use SAST tools such as Fortify or Sonarqube to examine the source code.
• Integrated into the SDLC to ensure secure coding practices.

Credentialed and Uncredentialed Scans

Credentialed scans, also called Privileged scans, have access to the system with provided credentials.

• Can inspect inside the operating system
• Including installed software and patch levels
• Gathers detailed configuration data with read-only access.

Uncredentialed scans work externally without login access, so they cannot verify patch status inside the system.

• Might miss vulnerabilities related to installed software updates
• Can also miss hidden vulnerabilities

Credentialed scans reveal internal patch and configuration issues like missing third-party software patches that uncredentialed scans usually miss.

Phases of Scanning

Vulnerability scanning typically involves the following phases:

1. Prepare assets and define the scan scope
2. Perform the scan to identify vulnerabilities
3. Remediate issues found
4. Document all findings and actions

Vulnerability scanning can be cyclical. You may rescan or reconfigure assets as needed, but eventually you must remediate and document those actions.

Scan Reports

Scan reports categorize findings to differentiate between real and false alerts, ensuring effective remediation.

• False Negative: A real vulnerability is missed.
• False Positive: A non-threatening issue is flagged.
• True Positive: A real vulnerability is accurately identified.
• True Negative: Non-malicious activities are recognized as safe.

For more information, see Analyzing Vulnerabilities.