Vulnerability Scanning: Process, Tools, and Best Practices

Vulnerability scanning is the process of scanning software to identify exploitable vulnerabilities and assist with their remediation.

September 21, 2022

What Is Vulnerability Scanning?

Vulnerability scanning is the process of scanning computing resources to identify exploitable vulnerabilities, usually using automated tools. When new vulnerabilities are discovered, the security research community publishes signatures for those vulnerabilities. Vulnerability scanners use a list of signatures to test networks, applications, and infrastructure, identify known vulnerabilities, and assist with their remediation.

This is part of our series of articles about vulnerability management.

In this article:

Why Are Vulnerability Scans Important? 

Vulnerabilities are an open door to exploitation by attackers. The main goal of vulnerability scans is to prevent cyberattacks, or reduce their impact, by identifying and remediating critical vulnerabilities. 

In addition, vulnerability scans can help organizations become more proactive in their security efforts. Vulnerabilities often exist in a system before they cause noticeable damage. Scanning helps teams find threats and take action before serious damage occurs. Vulnerability scans also help developers and security teams prioritize risk—helping identify the issues requiring immediate action.

The Vulnerability Scanning Process

Here are the steps involved in vulnerability scanning.

Asset Discovery 

The first step in the vulnerability management process is to discover and classify an organization’s assets. These include: 

  • Source code
  • Bare metal servers and Virtual Machines (VMs)
  • Web applications
  • Cloud endpoints and hosts
  • Container images
  • Serverless applications

Asset discovery can be challenging in any environment. In a cloud native environment it is even more complex, because of the dynamic and ephemeral nature of computing resources. A common strategy for discovering cloud native assets is service discovery. 

Next, organizations should group assets to facilitate targeted vulnerability scans. They should base the asset classes on criteria like:

  • Externally exposed assets
  • Assets only accessed by internal components
  • Resources storing confidential data or serving mission critical functions

Vulnerability Assessment

The next step involves identifying and assessing vulnerabilities within the protected environment. This process includes:

  • An initial sweep of the environment to find live systems and verify their accessibility for the scans.
  • Version fingerprinting to collect system data. 
  • Correlating data and comparing it to known vulnerability lists.

Properly configured vulnerability scanners are essential to provide accurate results, reduce false positives, and avoid scanning issues. Vulnerability assessments require careful planning to ensure accuracy and consistency.

Triage and Analysis 

After identifying vulnerabilities, it is important to contextualize the vulnerability data. Scoring criteria like CVSS help organizations prioritize risks and mitigate the most critical vulnerabilities. 

The vulnerability triaging process should include the following:

  • Distinguishing real vulnerabilities from false positives.
  • Determining if vulnerabilities are exploitable via the Internet.
  • Identifying published exploits.
  • Assessing the likelihood and potential impact of a breach.
  • Identifying the security controls to mitigate attacks.

Vulnerability scanners often generate false positives due to misconfiguration. A human security team can help identify false positives and prioritize high-risk vulnerabilities.

Remediation

After confirming the risk level of vulnerabilities, the team must remediate them using various tools and techniques. There are several approaches to handling vulnerabilities:

  • Elimination—applying patches or fixing the code.
  • Mitigation—reducing the impact and likelihood of an exploit.
  • Acceptance—acknowledging the risk and choosing not to fix the vulnerability. 

Not all vulnerabilities require elimination or mitigation—other security controls might provide an adequate solution. Scanning tools offer remediation capabilities but are usually insufficient and should accompany manual investigation and remediation processes.

Verification

The final step is to validate the fixes applied to vulnerabilities to ensure they function as intended. It is a continuous process to inform the overall vulnerability management strategy.

Related content: Read our guide to vulnerability scanning process

Traditional Vulnerability Scanners 

Network Vulnerability Scanners

A network vulnerability scanner covers all systems throughout the network, sending probes to identify open ports and services, then further examining each service for details. It can discover configuration issues and known vulnerabilities. How it works may vary—organizations can install hardware devices within the network or deploy virtual devices on virtual machines to scan all other devices in the network.

Keeping devices up-to-date in line with network changes can quickly get complicated. When the network becomes more complex, the number of vulnerability scanners required to process every network segment increases.

Web Application Vulnerability Scanners

Publicly accessible web applications require regular vulnerability scans to prevent attacks. Cybercriminals often exploit web application vulnerabilities such as cross-site scripting (XSS) to inject malicious code into applications and modify trusted data, relying on the unsuspecting user to execute the malicious script.

Web application scanners are useful for verifying the implementation of input validation within a comprehensive web app security program. Security teams should continuously scan for Secure Sockets Layer (SSL) configurations and review the results to stay up-to-date. 

It is a best practice to shift security left by running static application security testing (SAST) at early development stages. This can identify web application vulnerabilities while code is being developed, and help developers fix it long before it is deployed to production.

Host-Based Vulnerability Scanners

A host-based vulnerability scanner identifies vulnerabilities by evaluating the operating systems and configurations of local network hosts such as servers. There are three main types of host-based vulnerability scans:

  • Agent-server scan—software agents installed on endpoints perform vulnerability scans and report data to the central server for further analysis. Agents typically collect real-time data and send it back to a management system. One of the problems with agent-server scans is that each agent is linked to an operating system.
  • Agentless scan—this method involves initiating scans from a central command center or based on automated schedules. It requires using administrator credentials to access network systems. Agentless scans have different operating system requirements from agent-based scans, meaning they can cover more resources. However, the evaluation requires a consistent network connection and may be less thorough than agents.
  • Standalone scan—this method does not require network connections and is the most labor-intensive host-based vulnerability scanning approach. Each host must have a scanner installed. A standalone approach may not be feasible for most organizations managing hundreds or thousands of endpoints.

After each scan, the security team must collect, compile, analyze, and report on data from every host. This data then informs mitigation procedures.

Related content: Read our guides to:

Modern Vulnerability Scanners Supporting Shift-Left Security 

Source Code Scanners

Source code is the basis of operating systems and applications. The Open Web Application Security Project (OWASP) ranked insecure designs as #4 in its top 10 vulnerabilities list for 2021.

A source code scanning tool can compare code to NIST’s National Vulnerability Database. This database lists common known vulnerabilities and exposures affecting open source code.

Cloud Vulnerability Scanners

Cloud computing offers many benefits to organizations of any size, including the scalability of SaaS, PaaS, and IaaS implementations. Virtual access controls are necessary to protect cloud infrastructure like the access control devices that physically secure a data center.

Implementing cloud security is critical to modern enterprises. Therefore, vulnerability management programs should include cloud service discovery and vulnerability scanning tools, as well as misconfiguration detection, as early as possible.

Container Vulnerability Scanners

Containerized applications are becoming increasingly popular, but they can pose a security risk if not handled properly. A major security risk with containers relates to container images—the templates used to build new containers. Container images often contain bugs and security vulnerabilities, passing on these vulnerabilities to all containers built from them.

Vulnerability scanning of container-based applications prevents security flaws and bugs vulnerabilities from reaching the production environment. It allows developers to avoid using vulnerable images to create production containers. A container vulnerability scanner continuously scans and audits containers and images, making it an integral part of the DevSecOps process.

Related content: Read our guide to container vulnerability scanning (coming soon)

Vulnerability Scanning Best Practices 

The following best practices help ensure an effective vulnerability management strategy.

Run Vulnerability Scans Frequently

Every organization should have a vulnerability management program tailored to its DevOps environment. The vulnerability management process should be accurate, continuous, and fast. Powerful vulnerability scanners are the best way to achieve this, providing the following benefits with frequent scanning:

  • Accurate reporting—machine learning-based vulnerability scanners can improve over time, increasing the accuracy of scans. They reduce the number of false positives and increase reporting accuracy, generating reports quickly.
  • Automated scanning—vulnerability scanners can automatically run checks for every code change. Each new application version can introduce potential vulnerabilities, so running automated scans for all updates is essential.
  • Compliance—security audits are mandatory in many industries, and vulnerability reporting is an important part of these activities. Therefore, regular vulnerability scanning is essential for maintaining regulatory compliance. Staying ahead of security threats also builds trust and reassures customers regarding potential security threats.

Implement Scans Early in the SDLC

Scanning shouldn’t wait until the deployment phases; packages should undergo scans immediately when built. 

Scanning as soon as possible has two advantages. First, addressing vulnerabilities early in the development pipeline is easier because the team hasn’t invested as much in the code. Suppose the security team waits until developers have run other types of tests on the package before scanning for vulnerabilities. In that case, they’d have to rebuild the software and re-run the tests if a vulnerability is detected.

Second, scanning earlier helps minimize the risk of releasing insecure applications to production. No one should push an unscanned container image to the registry where users can download and install it. 

The early scans don’t replace pre-deployment scans; evaluating the software’s risks is important before pushing it to production. However, detecting vulnerabilities early in the development cycle helps reduce the burden later in the pipeline.

Keep Packages Small

The more dependencies and overall code the packages contain, the harder it will be for the vulnerability scanner to process every layer and find vulnerabilities. Fixing security issues and rebuilding packages can also be difficult if the packages contain too many objects.

A package should only contain the code and resources needed to deploy a specific aspect of an application feature. Developers should avoid packaging multiple application components into the same package.

For example, developers can create different Docker images for each microservice. It is better than building a single image with multiple microservices. Alternatively, they can separate the application logic from the front end, using two Debian packages instead of one. 

Prioritize Vulnerabilities

Long lists of vulnerabilities in each package are unhelpful if the team tries distinguishing the more serious vulnerabilities from the less critical ones. Organizations can avoid this problem by using a scanner that allows them to assess vulnerability risks and prioritize according to each vulnerability’s likely impact. Prioritization helps teams utilize their time better, ignoring less important vulnerabilities while focusing on serious issues.

Expand Detection Coverage

Integrating security tests and scans into the CI/CD pipeline helps prevent exploits and disruptions by allowing teams to patch vulnerabilities quickly. Security teams should check many types of vulnerabilities, not just scan code. In addition to the code, they should consider the cloud and container infrastructure used to scan for vulnerabilities. Cloud service providers usually implement security best practices, but organizations should ensure they have full vulnerability detection coverage.