What is Vulnerability Scanning? [And How to Do It Right]

June 18, 2021 HackerOne Team

Wondering what vulnerability scanning is? We will explain how it works, why you need to do it, and how to do it right.

What is Vulnerability Scanning?

Vulnerability scanning uses an application (vulnerability scanner) to scan for security weaknesses in computers, networks, and other communications equipment in a system.

Vulnerability scanning helps companies identify possible ways an attacker could exploit vulnerabilities that might cause outages, allow unauthorized network access, or acquisition of privileged information. Outdated software products, unpatched operating systems, and misconfigured hardware often lead to vulnerabilities.

Scans use many different techniques to get applications to respond or read instructions in unexpected ways. Attackers can use these flaws to execute malicious code, steal information from memory, and install backdoor software to launch new attacks.

Benefits of Running a Vulnerability Scan

Both small and large organizations can benefit from running periodic vulnerability scans to ensure their IT infrastructure isn’t susceptible to attack. For attackers, it's now easier than ever to leverage specialized tools to scan for companies with specific vulnerabilities to exploit.

Platforms like Burp Suite run scans every quarter automatically looking at millions of websites and applications, allowing individuals to narrow their search for vulnerable devices. These tools are becoming increasingly easier to use, making scans more valuable.

Given the cost of a cyberattack, vulnerability scans act as a cost-effective way to stay proactive in protecting your network by discovering and fixing vulnerabilities before attackers can find them.

Types of Vulnerability Scans

Ethical hacking or internal security teams can tune vulnerability scans to help detect specific vulnerable applications or areas that need improvement. Let’s take a look at a few different types of scan options.

Hacker-Powered Scans

Hacker-powered security uses a community-driven approach to vulnerability scanning by incentivizing freelance hackers to find bugs on public-facing systems. Bug bounty programs attract hackers by offering monetary rewards for each vulnerability they report. By using this method, organizations can have their system continuously tested throughout the lifecycle of the system.

Internal Scans

Internal scans run from inside the network using techniques such as privilege escalation. Internal scans can shed light on how well staff members implement permissions and help find vulnerabilities that an insider attack may use to access servers and other critical applications.

External Scans

External scans focus on assets that are online and connected to the internet. These could be employee login pages, remote access ports, or company websites. By vulnerability scanning externally, organizations can better understand how vulnerable their forward-facing online assets are and theorize how an attacker could exploit them.

Application-Based Vulnerability Scans

Application-based scanning focuses on a specific segment or aspect of the business. For example, scanning could be focused only on IoT devices or the corporate wireless network. Companies can understand how vulnerabilities could impact their uptime and availability when scanning specific applications depending on what systems are affected. These scans help non-technical teams understand and correlate vulnerabilities with risk to business operations.

Continuous Vulnerability Scanning

Continuous scanning works to scan networks regularly, usually based on a set schedule. These scans can use probes inside and outside the network to produce a comprehensive report of different vulnerabilities that need remediation. Continuous vulnerability scanning reassures businesses and allows administrators to scan once without manually running them every quarter.

Authenticated and Unauthenticated Scanning

Authenticated scanning gives the vulnerability scanner access to privileged credentials to move laterally and farther into the network. Unauthenticated scanning helps detect issues around the perimeter of a network and shows how an attacker can find weaknesses and vulnerabilities. The benefit of authenticated vulnerability scanning is that it helps organizations identify permissions issues and weak accounts in the network.

Examples of Vulnerability Scanning Software

There are dozens of different tools that can help discover vulnerabilities. While these tools are great for finding vulnerabilities on a network, they still need to be administered by IT professionals who can properly run the scan, interpret the results, and then implement the necessary changes.

Let’s take a look at a few popular vulnerability scanning tools.

Qualys

The Qualys cloud platform is a suite of tools that helps businesses manage their auditing and compliance using automation and on-demand security intelligence. The platform uses a series of sensors to centralize security data and provide cybersecurity insights from a single location.

OpenVAS

OpenVAS is a fully-featured vulnerability scanner that uses multiple scanning techniques to help organizations identify a wide range of internal and external vulnerabilities. The platform has a dedicated community of testers and uses its own programming language for multi-platform flexibility.

Tenable

Tenable offers vulnerability management to help organizations understand and manage their cybersecurity risk. Tenable uses continuous monitoring instead of a single vulnerability scan to provide compliance reports, risk assessments, and threat monitoring.

Osmedeus

Osmedeus specializes in both vulnerability scanning and reconnaissance gathering. The tool allows users to run several different in-depth scans and understand how their network gives attackers information during an attack’s research stage.

Network Mapper 

Network Mapper, or Nmap is an open-source vulnerability scanner used on networks to identify vulnerabilities in protocol, view running services, and port scan different addresses.

Rapid7

Rapid7 provides cybersecurity services from SIEM solutions to vulnerability management for enterprise organizations. The platform offers managed security services, product consultations, and certification programs.

Vulnerability Scans vs. Penetration Testing—What’s the Difference?

Vulnerability scans identify potential ways an attacker could exploit a network or application. Each vulnerability can be a possible doorway into a secure system if exploited. The vulnerability scan’s purpose is to find and patch those vulnerabilities before exploitation.

Penetration tests are performed to see how much of a network can be compromised. The tests also help organizations understand which systems are vulnerable and how they can remediate associated issues.

Penetration testing is a lengthy process that goes a step beyond vulnerability scanning by actually exploiting the identified vulnerabilities and running payloads on the network. While vulnerability scans show businesses the potential damage, penetration tests follow through with the attack.

Vulnerability scans are typically automated and run quarterly, while penetration testing is a manual test run annually by a security professional.

What to Do After Running a Vulnerability Scan

Depending on the type of scan and tool you use, you may be wondering what to do after the scan. The next steps can vary depending on the type of vulnerability found. For example, an exploit taking advantage of an old Windows XP vulnerability should be remediated by moving that application to a new operating system. 

Implementing fixes isn’t always straightforward and may require a more complex approach. Cross-site scripting attacks, SQL injection vulnerabilities, and unencrypted channels require an experienced professional.

Professional scans and companies that run vulnerability scans as a service will usually offer a report outlining what the scan discovered and pairing each vulnerability with a recommended action.

When Vulnerability Scans Aren’t Enough

Standalone vulnerability scans can help companies identify problems but may do little to prioritize or fix issues. Businesses must be able to not only find vulnerable applications but fix them as well.

Hackers scan and using hacker-powered security in your vulnerability scanning allows your organization to improve your security posture beyond specific tools, traditional office hours, or a single security team. While there are many vulnerability scans, bug bounty programs offer a more flexible way for businesses to secure their systems.

HackerOne pairs vulnerability scanning with advanced triage to help minimize the attack window and meet internal SLA requirements. Enterprise networks may see hundreds of potential vulnerabilities during a scan, making it difficult to know where to start. HackerOne triage teams work on incoming vulnerability reports to remove false positives, duplicate alerts, and streamline the remediation process.

If you’re looking for protection beyond a simple vulnerability scan, HackerOne can help. HackerOne partners with the largest and most diverse hacker community in the world to find vulnerabilities and security issues before bad actors can exploit them. 

Our continuous testing platform helps organizations mitigate security risks by allowing systematic testing at every level of the Software Development Life Cycle (SDLC). Hacker-powered security helps security teams increase visibility, manage costs, and address evolving threats with consolidated, scalable security solutions.

Learn more about HackerOne here.

 

Previous Article
HackerOne in Topic: DevSecOps
HackerOne in Topic: DevSecOps

I’m not going to define DevSecOps in yet another blog post. There are plenty of great resources for that. I...

Next Article
What is Vulnerability Scanning? [And How to Do It Right]
What is Vulnerability Scanning? [And How to Do It Right]

Wondering what vulnerability scanning is? We will explain how it works, why you need to do it, and how to d...