These days, virtually every company is dependent on IT systems. For example, online retailers need properly functioning web shops and insurance companies want customers to be able to submit claims online. Self-evidently, all online systems must be guaranteed to be secure. However, it is sometimes hard to determine which measures are suitable and fit within the available budget. For example, you can use a vulnerability scanner to check your application for vulnerabilities, but you can also get an ethical hacker to conduct a comprehensive investigation. Neither method stands alone and they can in fact effectively supplement each other. But what are the pros and cons if you decide to commission a vulnerability scan?
Benefits of vulnerability scanning tools
- Fast results
The major advantage of an automated scanning tool is that it generates a result relatively quickly. That way, you can get a picture of your security whenever you want it.
An automated vulnerability scan is easy to repeat. You decide whether you want to run a scan daily, weekly or monthly and get an update on changes and vulnerabilities detected.
Most vulnerability scanning tools have a clear interface and are therefore easy to use. As such, the barrier to system administrators and others using them is low. It should be noted, however, that the results of the tools contain fairly specialist details. This means that a security specialist is still needed to interpret the findings and take action.
- Constant monitoring
A vulnerability scanning tool can also be deployed effectively for constant monitoring, for instance if a lot of deployments are performed. Moreover, it offers system administrators continuous insight into the status of the infrastructure.
Drawbacks of vulnerability scanning tools
- A vulnerability scanning tool will not find nearly all vulnerabilities
Because a vulnerability scanning tool also misses vulnerabilities, you have no guarantee that your systems are not vulnerable. This is one of the biggest limitations of all scanning tools, because there can still be vulnerabilities that hackers can exploit. There are two possible reasons for this:
- The scanner is not aware of the vulnerability, for example because it has only just been discovered.
- The vulnerability is too complex to be found by an automated tool because the attack is not trivial to automate.
- Constant updates required
In order to ensure that the most recent vulnerabilities are found, you need to make sure the tool is continually updated.
- False positives
Particularly if you have a large IT infrastructure, lots of servers and services, it can be hard to understand the impact of the findings/vulnerabilities of the scanning tool. As a result, you will often be faced with false positives. If you are not specialised in security, recognising them is a challenge, which makes interpreting the results a time-consuming business. Moreover, if false positives are not filtered out, the tool does not get smarter and will continue to generate false results.
- Implications of vulnerability unclear
If a vulnerability is found, it is sometimes difficult to assess what it means for business operations. What will be the impact on different departments, employees and processes? An automated tool will not tell you this and a system administrator will typically be more focused on the technical aspect of the vulnerability.
A vulnerability scan tool is becoming increasingly important in an IT landscape where deployments are made daily or even more often and the development of new applications is fast.
Laurens Baardman, Security Specialist at Computest
A vulnerability scanning tool is therefore mainly useful for getting a grip on the state of your IT infrastructure and, for example, alerting you if developers have accidentally opened a port. This is becoming increasingly important in an IT landscape in which deployments are made daily or even more frequently and the development of new applications takes place rapidly. For instance, an automated scanner can provide additional assurance in terms of security in a CI/CD development environment.
How do you resolve the drawbacks?
But how do you make sure you have a complete and continuous understanding of vulnerabilities in your network? Ideally, you want to have the best of both worlds: an automated vulnerability scan and the expertise of an ethical hacker. At Computest, we have combined this in the hybrid service Marvin_.
Marvin_ performs a daily automated vulnerability scan of the entire infrastructure and/or web applications. Existing and proven scanning techniques are used in order to be sure that the latest vulnerabilities are being monitored too. One of our security specialists then decides which findings are relevant and marks them in the dashboard. As a result, you can see the environment's security status at a glance and see how many threats rated as relevant were detected in the last scan. The manual filtering and the expertise of the specialist rule out false positives. Moreover, when a vulnerability is identified, it is immediately accompanied by a recommendation to resolve it and minimise the impact on the overall organisation.