Organizations employ vulnerability scanners to identify known and new vulnerabilities. Vulnerability scanners usually generate reports that detail the security posture of the network or application, providing recommendations to remediate the identified issues.
This is part of a series of articles about vulnerability management.
In this article:
Vulnerability Scanning Approaches
There are four main ways to conduct vulnerability scanning—external, internal, authenticated, or unauthenticated.
Internal scans are performed by scanners deployed inside the network, with the goal of finding potential exploits that insider threats could use. External scans mimic an attacker performing reconnaissance on the organization before penetrating it.
Similarly, authenticated scans look for vulnerabilities that are exposed to insiders or attackers already inside the network, while unauthenticated scans can evaluate the effectiveness of the network’s security controls.
5 Types of Vulnerability Scans
1. Network Vulnerability Scanners
A network vulnerability scanner monitors web servers, including their daemons, operating systems, and the various services open to the public Internet, such as database services.
The scanner uses a database of known vulnerabilities to identify vulnerabilities.Most scanners use the common vulnerabilities and exposures (CVE) catalog of known software vulnerabilities as their main source and the common vulnerability scoring system (CVSS) to score the identified vulnerabilities.
According to the Center for Internet Security (CIS), organizations should implement continuous vulnerability management and scanning. This level of scanning is usually provided by advanced network vulnerability scanners employing proprietary vulnerability databases that can continuously aggregate and analyze information from diverse sources.
2. Web Application Scanners
A web vulnerability scanner checks application or website code to locate vulnerabilities that compromise the application or its back-end services. Developers and security professionals employ web application scanners as part of their application security testing strategy.
Web application scanners compare the source code against known exploits, using sources like the Open Web Application Security Project (OWASP) top 10 list of common vulnerabilities. Common exploits include injections, hijacking, cross-site scripting (XSS), and man-in-the-middle (MitM) attacks.
Effective vulnerability management for web applications requires adopting a shift-left DevSecOps approach, which typically involves deploying scanners across a secure software development life cycle (SDLC). A secure SDLC should consist of a battery of scanners, such as:
- Static application security testing (SAST) tools—automatically scan uncompiled source code for vulnerabilities.
- Dynamic application security testing (DAST) tools—automatically scan compiled code in all environments, including testing and production.
- Penetration testing tools —simulate external intrusion attacks to discover vulnerabilities that allow malicious exploits.
3. Open Source Vulnerability Scanners
Developers utilize SCA tools for open source vulnerability scanning. Software composition analysis (SCA) tools scan applications to identify open source frameworks and libraries, including direct and indirect dependencies, and detect vulnerabilities. Some scanners can help locate the exact vulnerable area in the codebase, saving considerable effort.
4. Kubernetes and Container Vulnerability Scanning
Kubernetes vulnerability scanning helps identify and remediate security issues in Kubernetes deployments. This process usually involves the following actions:
- Update Kubernetes after discovering vulnerabilities in the open source project.
- Scan container images and their open source components for vulnerabilities.
- Ensure all Kubernetes configurations meet compliance requirements and industry best practices.
Scanning container images for vulnerabilities enables development teams to assess the security state of each container image and fix the issues identified during the scan. Kubernetes and container vulnerability scanning facilitates more secure development when implemented during the early phases of the development cycle.
5. Cloud Vulnerability Scanner
A cloud security scanner is a tool that helps identify and remediate security weaknesses in cloud deployments. This scanner covers the following areas:
- Security testing—feeds malicious and unexpected inputs to a cloud system to check if it reacts securely or attempts to penetrate the cloud target to identify security weaknesses.
- Security misconfiguration—reviews cloud-based resources such infrastructure as code (IaC) to check if they contain common configuration issues that potentially create security issues like exposure to public networks or lack of authentication.
- Security benchmarks and compliance—checks cloud resources against security best practices and benchmarks or compliance requirements.
8 Great Vulnerability Scanning Tools
License: Apache License 2.0
Trivy is a simple yet comprehensive scanner for discovering vulnerabilities, misconfigurations, and secrets in containers and various other artifacts. Once you install the binary, you can use Trivy to scan. Simply specify a target, like an image name, and starts scanning.
Trivy identifies vulnerabilities by scanning the following:
- Operating system packages such as Alpine, CentOS, and RHEL.
- Language-specific packages such as Bundler, npm, Composer, and yarn.
- Infrastructure as Code (IaC) files like those in Kubernetes and Terraform
- Hardcoded secrets like passwords, tokens, and API keys.
- License compliance
- Cloud Security Posture in providers like AWS
- SBOM creation
Scanning IaC files is especially important as it can help identify potential configuration issues that may expose deployments to attacks.
License: Apache License 2.0
Clair is an open source project for performing static analysis of vulnerabilities in Docker and appc containers to monitor the security state of containers. The project offers an API-driven analysis engine that can inspect containers layer-by-layer for various known security flaws. It enables developers to build services that continuously monitor containers for vulnerabilities.
Here are key features of Clair:
- Update vulnerability data from various predefined sources and store the data in a database.
- Query the database for vulnerabilities in specific images using an API.
- Index container images with the features located in the image using an API.
Clair can scan each container layer and push notifications when identifying vulnerabilities that can pose a threat, using various databases like the CVE. It supports programming language package managers, including Python and the new image-oriented API.
OpenSCAP is a framework that provides tools for vulnerability assessment, measurement, and scanning. It was developed by the community for vulnerability management, and in addition to scanning the framework can also help create security measures. However, it supports only Linux.
You can use OpenSCAP to check your system’s security configuration settings and use rules based on standards and specifications to discover indications of compromise (IoCs). The framework uses NIST-maintained specifications called SCAP to standardize the system security maintenance approach and ensure consistent, replicable revision workflows.
Here are key features:
- Over 25 open source contributors.
- Command-line interface (CLI).
- Based on common weakness enumeration (CWE) naming conventions.
- Available software source code.
4. Open Vulnerability Assessment System (OpenVAS)
The Greenbone Vulnerability Manager (GVM) framework provides various vulnerability detection and management, including a scanning component called OpenVAS. It offers many capabilities, including:
- Authenticated and unauthenticated testing.
- Low—and high-level Internet and industrial protocols.
- An internal programming language to implement vulnerability tests.
- Built-in features for creating vulnerability assessment report. It allows combining multiple scans into one report using tables and pie charts.
Open VAS supports more than 26,000 CVEs and Unix and Linux systems. It is the default option when using Kali Linux.
License: Apache License 2.0
KubeClarity helps detect and manage software bill of materials (SBOM) and vulnerabilities in filesystems and container images. It is a next-generation security scanning tool that can perform fine-grained security scans of Kubernetes runtime clusters and container images. It also provides pre-deploy CI/CD scanning capability.
KubeClarity scans CI/CD pipelines and runtime Kubernetes clusters to improve the security of software supply chains. It provides a list of the identified vulnerabilities and appropriate remediations to help understand and improve the current security posture. The app does not require any registration.
6. Web Application Attack and Framework (W3AF)
W3AF is an open source tool that scans web applications and identifies vulnerabilities. Penetration testers and ethical hackers use W3AF to find and exploit vulnerabilities to train and fix security issues. It provides exploit capabilities for penetration testing and supports various vulnerabilities.
W3AF provides an environment and plugins for vulnerability assessment and penetration testing. Here are the plugins W3AF offers:
- Attack —can exploit known vulnerabilities.
- Evasion —helps fix detection evasion requests made by intrusion prevention systems (IPS).
- Brute force —uses remote web application data to perform automatic brute force login.
- Authentication —periodically checks for authentication, logout, login, and current session activities to inspect protected web applications.
- Crawl plugins —supports brute force and auditing by identifying new resources like URLs and forms.
- Mangle —modifies requests individually.
- Grep —identifies web application information like cookies, emails, errors, and comments by analyzing all requests and responses.
- Output —configures framework results and also generates reports.
- Infrastructure —discovers information about web applications external to the source code, such as remote operating systems, web application firewalls (WAFs), HTTP daemons, and remote users.
License: Nmap Public Source License Version 0.94
Network Mapper (Nmap) is an open source tool for port scanning, network mapping, and vulnerability assessment. It provides various features for probing computer networks, such as service and operating system detection and host discovery.
Nmap features are extensible using scripts that offer more advanced vulnerability detection and service detection. The tool can adapt to various network conditions during a scan, including congestion and latency.
Here are key features:
- Host discovery —identifies hosts on a tested network. For example, it can list all hosts that respond to TCP and ICMP requests.
- Port scanning —enumerates all open ports on target hosts.
- Version detection —interrogates network services on remote devices to help determine the application’s name and version number.
- TCP/IP stack fingerprinting —determines the operating system and hardware characteristics of various network devices using observations of network activity related to the devices.
- Scriptable interaction with the target —provides the Nmap Scripting Engine (NSE) in addition to the Lua programming language.
Nmap provides information on targets, such as reverse DNS names, MAC addresses, and device types.
License: Apache License 2.0
Dagda performs static analysis to identify known vulnerabilities, viruses, malware, Trojans, and other threats, using ClamAV’s antivirus engine and other capabilities. It scans Docker images and containers, monitoring the Docker daemon and running containers to detect anomalous activities.
Dagda uses various sources of known vulnerabilities, including CVEs, Bugtraq IDs (BIDs), Red Hat Security Advisories (RHSAs), and Red Hat Bug Advisories (RHBAs), as well as known exploits pulled from the Offensive Security database. Dagda imports this information into a MongoDB database and compares your images against these vulnerabilities and exploits.
Once you run static analysis, Dagda retrieves information about software installed in your Docker image, including operating system packages and the programming languages’ dependencies. It checks each product and version is free of vulnerabilities against the data in the MongoDB database to identify vulnerabilities.
How to Evaluate a Vulnerability Scanner
Here are several aspects to consider when choosing a vulnerability scanner:
Support for Google Cloud, AWS, and Azure
A vulnerability scanner must support all major cloud providers. This support enables the scanner to look for vulnerabilities across several cloud environments and comprehensively assess the application’s security posture.
Optimized for cloud security and compliance
Each cloud provider utilizes a different set of security policies. A vulnerability scanner must adhere to these policies to help support your compliance efforts. Each industry is required to comply with specific regulations. A cloud vulnerability scanner should perform these compliance-specific scans to ensure the application adheres to regulatory requirements.
Continuous scanning and CI/CD integration
CI/CD pipelines heavily rely on automation to ensure efficiency. When introducing a vulnerability scanner into the pipeline, you need to integrate it to work automatically alongside other processes. This integration can help achieve automated continuous scanning, ensuring vulnerability scans run regularly.
Detailed reporting with forensic data and remediation support
A vulnerability scanner should provide a detailed report that specifies key information about the identified vulnerabilities. It should also include auditing and forensics that show how exploits work. The scanner should also offer guidance on fixing these issues to facilitate rapid remediation.
Cloud Native Vulnerability Scanning with Aqua Security
Aqua Security enables Security, Engineering, and DevOps teams with vulnerability scanning solutions for cloud native software assets, including containers, functions, Infrastructure-as-Code (IaC) templates, and VMs. Aqua’s vulnerability scanner examines cloud native artifacts for vulnerabilities and provides detailed security risk insight and remediation guidance – sourced and curated by Aqua’s dedicated cybersecurity research group Team Nautilus.
The results of Aqua’s vulnerability scans are prioritized based on contextual risk factors for faster triage, and can be integrated throughout CI/CD pipelines to empower teams with actionable insight directly in the tools they use as part of established DevOps workflows.