Vulnerability scanning is an automated activity using software to scan your code base, live application(s), and/or the network, to identify potential sources of vulnerability that could be exploited to gain unauthorised access to critical systems and sensitive data.
Vulnerability scanning is complementary with penetration testing, and is sometimes packaged together by external consultancies that manage or support both activities. The difference is that penetration testing includes a manual component and is theoretically more thorough based on that, considering vulnerabilities in the systems that may not be identified by automated software scanning. Penetration testing is less frequent, and therefore more regular vulnerability scanning to complement that, allows for more timely identification and remediation of vulnerabilities.
There’s three key types of vulnerability scans to consider.
Static code analysis scanning
Scanning the code base can identify common sources of vulnerability and is the most timely way to identify vulnerabilities so they can be addressed before they reach the production environment. Often this type of scanning is conducted by the code repository, such as GitHub with Dependabot scans and alerts, and forms part of a well-configured CI/CD pipeline that may prevent change releases with vulnerabilities that haven’t been assessed and approved. These scans may otherwise be performed earlier in the process during the code build process in the integrated development environment (IDE), which may allow more timely feedback and remediation as the code changes are being written.
Application vulnerability scanning
Dynamic application security testing or scanning on the live application scans the outside of the application(s) running in their live environment to identify security vulnerabilities like site scripting, path traversal, SQL injection, and more. In contrast to static code analysis, any vulnerabilities identified are already in the live environment and subject to being exploited. A rating system is often used to determine the likelihood and severity of the vulnerability being exploited, which drives the timeline to remediate accordingly. It’s not uncommon to have some or even many low rated vulnerabilities that remain in the applications. OWASP ZAP is a good free tool for web application scanning.
Network vulnerability scanning
Network vulnerability scanning, like dynamic application security testing, scans the live environment and identifies vulnerabilities that are available for exploitation. In contrast to scanning the application, they are scanning the network and infrastructure environment for misconfigurations, open ports, or outdated systems and software, on the firewalls and other networking devices. Amazon Inspector, Azure Defender for Cloud, and Google Command Centre are three commonly used solutions that come native to their respective cloud infrastructure environments.
Identified vulnerabilities should be logged, assessed and prioritised for resolution. See the Vulnerability Management Program page for further details on handling vulnerabilities.