Vulnerability scanning tools and services

This guide is designed for small and medium enterprises, large corporations, and public sector organizations to:

• grasp the fundamentals of vulnerability scanning and its role in a VMP
• determine the most effective ways to utilize vulnerability scanning
• establish key criteria for selecting a vulnerability scanning tool

The content is organized into four sections, starting with an assessment of your current vulnerability scanning setup, followed by the type of scanner required. It then explores what should be scanned and when, concluding with general recommendations.

Organizations can gain numerous advantages from adopting vulnerability scanning:

• Automation: Scans can be scheduled, executed on-demand, or triggered by events such as new software deployments, ensuring an up-to-date understanding of vulnerability status.
• Speed: Scanners perform extensive checks more quickly than manual assessments, allowing for timely detection of vulnerabilities.
• Cost-Effectiveness: The efficiencies gained through speed and automation make vulnerability scanning more economical than manual testing.
• Scalability: Cloud-based solutions can adjust resources to accommodate various scanning needs across different environments.
• Compliance: Many solutions incorporate specific checks for adherence to recognized information security standards or an organization’s own security protocols.
• Precision: Tailored vulnerability checks can yield more accurate results compared to generic software asset management information.

Ultimately, vulnerability scanning enables organizations to keep pace with potential threats and manage security risks effectively.

Comparison to Manual Security Testing

It is crucial to recognize that while automated vulnerability scanning is efficient, it cannot replace comprehensive manual processes like penetration testing, which offers deeper insights.

Automated scans should be viewed as a method for identifying frequent security issues without relying on specialized labor. Addressing simpler vulnerabilities through regular scans allows for more specialized testing to focus on intricate security challenges.

Vulnerability scanning proves effective only when integrated into a broader vulnerability management program (VMP).

A VMP generally comprises the following stages:

• System Discovery: Identifying organizational assets.
• Asset Classification: Grouping assets based on similar characteristics.
• Vulnerability Detection: Locating and confirming vulnerabilities in assets.
• Vulnerability Triage: Prioritizing vulnerabilities by technical or business goals.
• Vulnerability Remediation: Advising on and confirming the resolution of highlighted issues.
• Vulnerability Disclosure: Creating a channel for researchers to inform you of relevant vulnerabilities. Refer to the Vulnerability Disclosure Toolkit for guidance on establishing your own process.

Supporting Your VMP

Vulnerability scanning tools often include features to assist or integrate with a VMP, such as:

• Conducting system discovery through regular scans of new hosts or applications.
• Verifying discovered systems against existing asset management records.
• Customizing vulnerability reports to align with organizational priorities.
• Facilitating remediation by re-scanning and confirming the resolution of specific issues.
• Integrating with other platforms like bug tracking systems to streamline workflows.
• Offering a secure portal for collaborative vulnerability management.

Essential Features to Consider

The relevance of available features will depend on your existing VMP. An organization without a pre-established VMP may benefit from a solution with a central portal for administrators to manage vulnerabilities easily.

On the other hand, organizations with a mature VMP might only need a product that facilitates the export of results for easy integration with current systems.

Additional features necessary for selecting a vulnerability scanning solution are documented in the concluding sections of this guide.

In the context of vulnerability scanning, an ‘asset’ refers to any entity, whether physical or virtual, associated with specific vulnerabilities. This could include:

• A network component such as a router or switch.
• A connected device like a laptop, server, or peripheral.
• A web application or platform instance.
• Cloud-hosted resources or endpoints.

Organizations typically possess a diverse range of assets within these categories, requiring accurate identification and documentation (ideally in an asset register) to select the most appropriate scanners. Many vendors charge for services on a per-asset basis, underlining the importance of understanding asset counts before procurement.

Aspects of your IT environment may be widely distributed, particularly if employees work remotely. Focus on shared services accessed remotely by these devices, such as web portals or VPN servers, while recognizing that scanning remote devices may present challenges. Regularly updating software is crucial to mitigate vulnerabilities.

Once assets have been identified, categorize them into logical groups to define manageable scopes for subsequent vulnerability scans.

Vulnerability scanners vary based on the type of target being assessed, with general categories for ‘infrastructure’ and ‘applications’.

Application scanners can further be divided into those aimed at web applications and those that assess native applications, with additional specialties for cloud infrastructures and mobile applications.

While specialized scanners optimize results for specific targets, a diverse IT landscape often necessitates a foundational level of general scanning to ensure adequate coverage of common infrastructure vulnerabilities. When budget permits, employing both general and specialized scans can enhance overall security.

Infrastructure Scanners

Infrastructure scanning tools focus on identifying and evaluating services accessible from the network or Internet. They often include host discovery and port scanning capabilities.

These scanners probe discovered network services to gather as much information as possible, such as software vendor details and version numbers, using techniques like fingerprinting. Once identified, these fingerprints are cross-referenced with vulnerability databases.

While some scanners offer advanced features (e.g., checks needing authentication), they generally prioritize breadth over depth and may miss vulnerabilities requiring intricate interactions typical in web applications.

Thus, infrastructure scanners are ideal for monitoring large network environments, especially when standard solutions with limited custom software are predominant.

Web Application Scanners

Web application scanners are specifically designed to pinpoint vulnerabilities in applications and web services operating over HTTP/S.

These tools function by mimicking user interactions with applications, rapidly sending requests to elicit responses that may indicate vulnerabilities.

They typically address a variety of security concerns affecting both the web server and its users, often correlating with lists like the OWASP Top 10, which outlines critical risks to web applications.

Advanced scanners may allow for tailored configurations, making them more adept at navigating complex applications, thus yielding relevant results during assessments.

Web application scanners complement infrastructure scanners effectively, particularly when custom applications significantly contribute to your network’s risk profile. The NCSC’s Web Check service serves as an example focused on public sector applications.

Native Software Scanners

These scanners identify common flaws in custom applications, functioning within internal environments and often requiring direct access to source code.

More information regarding managing vulnerabilities during the software development process is available in our Secure Development Principles.

Comparing Different Scanners

The market for vulnerability scanning solutions features both traditional on-premises options and increasingly popular vendor-hosted models. Choosing the right deployment model requires consideration of how well it fits your infrastructure and meets your security requirements.

On-Premises Solutions

With on-premises deployments, the organization hosts the scanning software on its infrastructure, such as a virtual machine or physical appliance within their data center.

This approach allows for scanning areas of the network lacking external connectivity, while also ensuring control over sensitive data stored locally.

However, the cost of administrative control includes initial configuration and ongoing maintenance for the latest vulnerability updates.

On-premises solutions often struggle with scaling during peak demand times, potentially leading to unnecessary infrastructure maintenance costs. They are best employed for scanning systems that lack easy Internet access or existing on-site hosting capabilities.

Vendor-Hosted Solutions

Many services are now available as SaaS, where the scanning software is hosted remotely, offering a potentially cost-effective alternative to on-premises solutions.

This model presents unique challenges, particularly with internal network access. Utilizing agents within internal networks can establish outbound connections to vendor servers, while adjustments to firewalls may also be necessary.

Trust in the security vendor is essential when implementing changes to network accessibility, which should be well documented as part of your overall security strategy.

Despite the potential risks, SaaS solutions offer numerous advantages over on-premises deployments: reduced maintenance obligations and the ability to dynamically scale according to demand, avoiding costs associated with unused capacity.

Using a hosted solution can simplify protection measures, ensuring sensitive information about vulnerabilities is both secure and readily accessible to authorized personnel, provided trust in vendor controls is established.

While comprehensive scanning enhances visibility of organizational risk, it may not be feasible to scan every asset. It is advisable to focus on Internet-accessible assets, those responsible for critical business services, or those containing sensitive data, such as database servers. Maintaining a record of excluded assets is vital for effective risk management.

Extrapolating Test Results

If numerous hosts are provisioned from a consistent ‘golden image’, it may suffice to scan a single instance and apply findings across others.

Although vulnerability scanners typically do not disrupt service availability, initial scans might focus on non-production servers providing business-critical services. Consistency between production and non-production configurations is key for extrapolative results.

In the absence of a representative testing environment, it may be necessary to temporarily exclude certain sensitive hosts from scans. Caution must be exercised to limit the duration of these exclusions to prevent creating security blind spots, as fragility can introduce vulnerabilities that require prompt resolution.

Regular Scanning

Performing vulnerability scans regularly (ideally monthly) is crucial, especially after implementing critical remediation measures.

Application scanners should be utilized whenever updates occur to the target application, like version changes or source code modifications. Whenever possible, integrate scanning into the secure build and deployment processes.

Several additional factors are critical when evaluating the appropriateness of vulnerability scanning solutions. While it’s challenging to define precise metrics for success, consider the following essential criteria when assessing potential vendors:

• Responsiveness: Can the solution promptly identify new vulnerabilities within a few days of public disclosure?
• Coverage: Does the scanner address relevant categories of vulnerabilities important to your organization, such as the OWASP Top 10?
• Authentication Support: Is it capable of performing authenticated checks, including the ability to log into systems for deeper testing?
• Accuracy: Does the scanner minimize false positives and false negatives in its outcomes?
• Reliability: Is the scanner consistently accessible for scheduled or on-demand tasks?
• Scalability: Can the scanner manage increased demand effectively and affordably?
• Reporting Capabilities: Are reports customizable and informative enough to support security assessments?
• Integration with Existing Systems: Can the solution be easily assimilated into your current processes, supporting the VMP?
• Value from Existing Components: Can it leverage software or systems already in place to enhance scanning capabilities?
• Support for Diverse Assets: Does it accommodate various asset types, including virtual environments or cloud integrations?
• Safety Assurance: Can the vendor guarantee that scans won’t disrupt targeted services?