Vulnerability Scanners; the Good, the Bad and the Ugly

This article is written with Tom Philippe and Jia Wen Zheng. It is also a summary of an extensive research to be published shortly (at the time of the writing).

In order to understand vulnerability management, it is important to first align on the fundamentals.

A vulnerability can be defined as a flaw or weakness in a system that can be exploited by an attacker to gain unauthorized access to sensitive data or create system interruption.

There are many reasons why vulnerability management is important. Firstly, vulnerabilities can lead to data breaches which can result in the loss of sensitive information or the compromise of systems. Secondly, unpatched vulnerabilities can be used by attackers to launch cyber attacks, which can cost businesses millions of dollars.

A vulnerability scanner is a software application that scans computer systems or networks for known security vulnerabilities. It is used to identify and address security holes in systems before they can be exploited by malicious hackers.

Most vulnerability scanners work by comparing the system’s configuration against a database of known vulnerabilities. They will then report any vulnerabilities that are found, along with information about how to fix them. Some vulnerability scanners also offer remediation advice, which can help automate the process of fixing the vulnerabilities that are discovered.

There are many types of vulnerabilities scanners that cover different aspects of company assets and offer many features that provide identification, classification, mitigation, and remediation of vulnerabilities. Each type of scanner contributes greatly to building the company’s security posture and strengthens the company’s security infrastructure as a whole.

Photo by Ehimetalor Akhere Unuabona on Unsplash

Why do We use Vulnerability Scanners for?

Vulnerability scanners are critical tools for identifying potential security weaknesses in systems and applications. By regularly scanning for vulnerabilities, organizations can stay ahead of the curve in terms of cybersecurity threats and mitigate security loopholes before they can be exploited.

Some scanners focus on web application vulnerabilities, while others target specific types of systems or networks. And while some scanners are very simplistic, others offer a wide range of features and capabilities.

When choosing a vulnerability scanner, it’s important to consider what your specific needs are. Do you need a tool that can scan for a wide range of potential vulnerabilities? Or one that focuses specifically on web applications?

There are main types of vulnerability scanners: active, passive, client-side, and server-side.

Active scanners actively probe for vulnerabilities by sending requests to the target system and then analyzing the responses. This can generate a lot of traffic and sometimes trigger security alarms. However, active scanners are generally more thorough than passive scanners because they can test for vulnerabilities that may not be detectable by passively observing network traffic.

Passive scanners do not send probes to the target system but instead observe traffic going to and from it. By analyzing this traffic, passive scanners can often detect vulnerabilities that active scanners would miss. However, they may not be able to detect all vulnerabilities since they are not proactively testing for them.

Client-side scanners focus on the client software that is installed on a user’s computer, such as web browsers and email programs. They check for vulnerabilities in these programs that could allow an attacker to exploit them and take control of the user’s computer. Server-side scanners focus on the server software that powers websites and other online services. They check for vulnerabilities in these programs that could allow an attacker to gain access to sensitive data or take over the server itself.

Web Application Scanners

There are a number of different web application vulnerability scanners on the market, and the one you choose depends on your specific needs and budget.

Web application scanners are a commonly available type that can be used to find vulnerabilities in websites and web applications. This is done through crawling, which uses directory fuzzing as well as the target site itself for information about what’s on it; this way they might discover accessible pages with potential security flaws inside them (and if so then we’ve got our hands full!). Some of the more popular ones include Acunetix, Burp Suite, Nikto, and OWASP ZAP.

Before you purchase a scanner, it’s important to do your research and make sure you choose one that meets your specific requirements. For example, if you’re looking for a scanner that can handle crawling large websites, then you’ll want to choose one that has robust crawling capabilities. Or if you’re looking for a scanner that can detect vulnerabilities in AJAX-based applications, then you’ll want to choose one that specializes in AJAX scanning.

Network Scanners

Network scanners are tools that allow you to scan a network for various purposes. Some common uses for network scanners include finding vulnerable devices or assessing the security of a network. There are many different types of network scanners, and each has its own unique features and capabilities.

One of the most popular types of network scanners is the Nmap scanner. Nmap is a free and open source tool that can be used to scan both small and large networks. It can be used to identify live hosts, open ports, running services, and much more. Nmap is a very versatile tool, and it can be used in a variety of ways depending on your needs.

Internal Network Scanners

For the deployment of network scanners into internal networks, it can be useful in identifying vulnerabilities in systems that might lead to a larger breach in the organization. The scanner is typically placed in the company network to discover vulnerabilities that are not found by external network scanners since they can find vulnerabilities that are not exposed to the internet. Features like authenticated scanning are also important to look out for as it gives access to system logging and config files, therefore allowing a more accurate scanning result. They are able to detect vulnerabilities in the network like SMB service which external network scanners cannot detect.

Vulnerabilities that can be found by the scanner are:

1. Access control vulnerabilities
2. Vulnerable ports and services in the internal network

External Network Scanners

External network scanning typically acts as a user from an unknown or untrusted IP address that is not inside the company network. It detects vulnerabilities by checking services or systems exposed to the internet. External network scanners are useful for visualising what a remote attacker can see when attacking the site, therefore the vulnerabilities found by the external network scanner should have higher priorities than the vulnerabilities found by the internal network scanner since they are more likely to be exploited as they are more accessible. External network scanners can be easier to set up as they can be offered in the cloud as a service, or it may require additional installation in your machine.

Vulnerabilities external network scanners can detect are:

1. Vulnerable, open ports exposed to the internet
2. Vulnerable web applications exposed to the internet

Agent Scanners

Unlike the scanners mentioned previously, agent scanners or host-based scanners require the scanner to be installed on each device that is needed for scanning. The scanners will be run locally, and the results will be sent to the main server to be compiled together. While network-based scanners are able to scan vulnerabilities at the network level, agent-based scanners can detect vulnerabilities on the local level such as:

1. Vulnerabilities in the OS
2. System misconfiguration
3. Outdated software versions

However, agent-based scanners are more tedious to set up since it has to be installed in all the systems in the network that need to be scanned, therefore setting up an agent-based scanner can be difficult in a large company.

Cloud Scanners

Cloud-based scanners are used to detect vulnerabilities in cloud deployments. It usually tests the infrastructure for security flaws and known vulnerabilities like CVEs, misconfigurations and checks against compliance requirements can be a feature provided by the scanner. Because of the variety of cloud providers, different types of cloud scanners are developed for different providers such as Azure, Google Cloud, and AWS.

Azure Security Centre provides security management and threat detection for Azure virtual machines, networks, services and local data centers. It works with Azure Defender to provide cloud workload protection which alerts and protect these components. For example, if a machine is detected to not have vulnerability management, Qualys vulnerability scanner can be deployed into the VM. Azure Defender also scans container images in the Azure Container Registry for any CVEs and CVSS severity scores with remediation and reports them.

Google Security Command Center evaluates the security of your cloud infrastructure and mitigates risks by discovering vulnerabilities, threats and identifying misconfiguration. It provides features such as event threat detection which monitors and logs and threats detected in the Google-deployed services and alerts the Security Command Center. Additionally, Ir detects suspicious activities in the container images to check for runtime attacks and alerts Security Command Center as well. It can also scan for web applications that use Google services such as Google Compute Engine and Google Kubernetes Engine (GKE) by web crawling and testing user inputs, outdated libraries etc.

AWS Security Hub monitors and manages security for Amazon services, it checks your resources against best practices and collects data from AWS services and accounts to check for any issues. The 2 main things AWS Security Hub do to find these issues is by using Findings and Insights in Security Hub. Findings are security issues found in AWS services or 3rd party products and identify which has the biggest impact while Insights is a collection of findings that identifies an area of concern that requires attention by filtering the findings found by AWS security hub and sorting them into groups.

We compared a list of both paid and free vulnerability scanners that can be used commercially and individually.

How to Choose a Vulnerability Scanner?

It’s not easy to choose a vulnerability scanner. There are a few things you should consider when choosing a vulnerability scanner:

1. The size and complexity of your network.
2. The number of devices on your network.
3. The number of applications on your network.
4. The level of security you need.
5. Your budget.
6. Your staff’s technical expertise.

Some vulnerability scanners are better for smaller businesses, while others are better for larger businesses. Some scanners are more comprehensive than others. And some scanners are more affordable than others.

So it’s important to do your research before you make a decision. Ask other IT professionals for their recommendations, read product reviews, and compare features and prices.

Ultimately, the best scanner for your company will depend on your specific needs and budget.

So what’s the best way to find a vulnerability scanner that meets your needs? By doing your research, of course! But no matter which scanner you choose, it’s important to make sure you have a cybersecurity professional on staff to help you stay safe online. Cybercrime is only going to get worse, so don’t wait another day — hire a cybersecurity professional today!

References

1. SAST Tools — OWASP page with similar information on Static Application Security Testing (SAST) Tools
2. Free for Open Source Application Security Tools — OWASP page that lists the Commercial Dynamic Application Security Testing (DAST) tools we know of that are free for Open Source
3. http://sectooladdict.blogspot.com/ — Web Application Vulnerability Scanner Evaluation Project (WAVSEP)
4. http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria — v1.0 (2009)
5. http://www.slideshare.net/lbsuto/accuracy-and-timecostsofwebappscanners — White Paper: Analyzing the Accuracy and Time Costs of WebApplication Security Scanners — By Larry Suto (2010)
6. http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html — NIST home page which links to: NIST Special Publication 500–269: Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0 (21 August, 2007)
7. http://www.softwareqatest.com/qatweb1.html#SECURITY — A list of Web Site Security Test Tools. (Has both DAST and SAST tools)

Follow Magda on Twitter: https://twitter.com/m49D4ch3lly

Twitter Magda Chelly

By Magda Chelly

Chief Security Officer | TEDx Speaker | Author & Keynote Speaker | IFSEC Global Top 20 Cybersecurity Influencer | Entrepreneur | PhD, S-CISO, CISSP, Cert SCI (General Insurance)

Find out on magda-on-cyber.com

Awards

• The IFSEC Global influencers in security and fire 2021
• Top Women in Security Asean Region 2021 Awards https://www.asiapacificsecuritymagazine.com/winners-and-judges-of-the-top-women-in-security-asean-region-2021-awards/

Follow Magda on her Social Media Accounts:

• LinkedIn: https://www.linkedin.com/in/m49d4ch3lly
• Twitter: https://twitter.com/m49D4ch3lly
• Facebook: https://www.facebook.com/m49d4ch3ly
• Instagram: https://www.instagram.com/m49d4ch3lly