Vulnerability scanning: essential practices for continuous security

Vulnerability scanning is a critical component of any comprehensive security strategy, particularly for Software as a Service (SaaS) companies. It serves as an ongoing check to identify potential weaknesses in your systems that could be exploited by attackers. While often confused with penetration testing, vulnerability scanning plays a distinctly different, complementary role. Here’s a closer look at the purpose of vulnerability scanning, the different types available and how to implement a “just enough” approach to meet audit and compliance requirements without overwhelming your resources.


Vulnerability scanning vs. penetration testing
Before diving into the specifics of vulnerability scanning, it’s important to understand how it differs from penetration testing:

  • Vulnerability scans: these are automated processes designed to identify known vulnerabilities in your systems. They provide a broad assessment, scanning for issues across various parts of your environment, including software, networks, and devices. Vulnerability scans are typically conducted more frequently than penetration tests, offering a continuous view of your security posture.
  • Penetration tests: in contrast, penetration tests are more comprehensive, often manual evaluations that go beyond identifying vulnerabilities. They attempt to exploit them to assess the potential impact of an attack. Penetration tests are usually performed annually due to their resource-intensive nature and are complemented by more frequent vulnerability scans.

Types of vulnerability scans
Vulnerability scans can be conducted across different layers of your environment, each serving a different purpose in maintaining security:

  • Network vulnerability scans:
    • Purpose: these scans focus on identifying vulnerabilities in your network infrastructure, such as open ports, misconfigurations and outdated software.
    • Coverage: in modern cloud environments, much of the network security may be handled by your cloud provider’s built-in security features, like AWS’s network firewalls and monitoring tools. However, running scans yourself adds an extra layer of assurance that nothing critical is overlooked.
  • Device-level vulnerability scans:
    • Purpose: these scans target the individual devices within your network, such as servers, desktops and mobile devices. They check for vulnerabilities like missing patches or outdated software.
    • Usage: these scans are particularly important in environments where devices are used to access or manage sensitive data, ensuring all endpoints are secure.
  • Application and codebase scans:
    • Static code analysis: this type of scan examines your codebase without executing it, identifying vulnerabilities in the source code itself. It’s a proactive approach allowing you to catch issues early in the development process.
    • Dynamic application scans: these scans evaluate the application in its running state, identifying vulnerabilities that could be exploited during operation, such as SQL injection or cross-site scripting (XSS).
    • Live environment scans: these are conducted on the live production environment, ensuring the deployed application is secure and free from vulnerabilities introduced during deployment or operation.
Implementing 'just enough'

Completing vulnerability scans on the application/codebase - at least once before (Type 1), or at least quarterly (Type 2) - is often enough to pass the vulnerability scanning control. Modern SaaS companies using cloud infrastructure and limiting sensitive data on devices have a lower inherent risk associated with the network and device-level vulnerability scans. The “critical” and “high” vulnerabilities identified should then be logged and resolved within a reasonable timeframe (in line with policy, or industry standards). 

➡️ Doing less tip #1: focus on critical systems
While vulnerability scanning should be comprehensive, it’s essential to prioritize the scanning of systems that are most critical to your business, particularly the SaaS product’s codebase and hosting environment.

➡️ Doing less tip #2: frequency and timing

  • Quarterly scanning: the industry standard for vulnerability scanning is to perform scans at least quarterly. This frequency strikes a balance between maintaining security and managing resources.
  • After major changes: scans should also be conducted after significant updates or changes to your environment. This ensures new vulnerabilities haven’t been introduced during the update process.


➡️ Doing less tip #3: review and prioritization of findings

  • Critical and high-risk focus: not all vulnerabilities need to be addressed immediately. A risk-based approach should be applied, where critical and high-risk vulnerabilities are prioritized for remediation.
  • Documented process: from an audit perspective, it’s crucial to have a documented process for reviewing vulnerability scan reports, prioritizing findings and planning remediation efforts.

Better practices
The better practices are touched on above. These include:

  • Scanning all important system components with multiple forms of vulnerability scanning.
  • Conducting the scans frequently; for example, code scanning prior to every release as part of a configured CI/CD methodology, and after each major release for the live application state.
  • Logging, classifying, prioritizing and resolving identified vulnerabilities within a defined service level agreement that’s part of a defined vulnerability management policy.
  • Having a predefined engineering budget for resolving vulnerabilities, or other management systems that ensures these are prioritized against other engineering priorities ensures security is given appropriate prioritization. 
In a nutshell
Vulnerability scanning is a vital practice for maintaining the security of your systems and meeting the expectations of enterprise customers. By understanding the different types of vulnerability scans—ranging from network to device-level, to application and codebase scans—you can tailor your scanning strategy to cover the most critical areas of your environment. Applying the ‘just enough’ principle ensures scans are conducted with appropriate frequency and focus, findings are managed efficiently, and compliance requirements are met without overburdening your team. This balanced approach keeps your systems secure while maintaining a manageable and effective security program.