What are vulnerability scanners and how do they work?

Regular scans of your network, web servers and applications will reveal weaknesses that attackers might exploit. Understand the different types of vulnerability scanning and how it works with pen testing.

Scanning for vulnerabilities.
Wavebreakmedia Ltd. / Getty Images

Vulnerability scanner definition

Vulnerability scanners are automated tools that allow organizations to check if their networks, systems and applications have security weaknesses that could expose them to attacks. Vulnerability scanning is a common practice across enterprise networks and is often mandated by industry standards and government regulations to improve the organization's security posture.

There are many tools and products in the vulnerability scanning space that cover different types of assets and offer additional features that help companies implement a complete vulnerability management program — the combined processes related to identifying, classifying and mitigating vulnerabilities.

External and internal vulnerability scans

Vulnerability scans can be performed from outside or inside the network or the network segment that's being evaluated. Organizations can run external scans from outside their network perimeter to determine the exposure to attacks of servers and applications that are accessible directly from the internet. Meanwhile, internal vulnerability scans aim to identify flaws that hackers could exploit to move laterally to different systems and servers if they gain access to the local network.

The ease of gaining access to parts of the internal network depends on how the network is configured and, more importantly, segmented. Because of this, any vulnerability management program should start with a mapping and inventory of an organization's systems and a classification of their importance based on the access they provide and the data they hold.

Some industry standards, such as the Payment Card Industry Data Security Standard (PCI-DSS), require organizations to perform both external and internal vulnerability scans quarterly, as well as every time new systems or components are installed, the network topology changes, the firewall rules are modified, or various software products are upgraded. External scans must be performed using tools from a PCI Approved Scanning Vendor (ASV).

With the widespread adoption of cloud-based infrastructure in recent years, vulnerability scanning procedures must be adapted to include cloud-hosted assets as well. External scans are especially important in this context because misconfigured and insecure deployments of databases and other services in the cloud have been a common occurrence.

Vulnerability scanning should be complemented with penetration testing. These are different processes that share the goal of identifying and evaluating security weaknesses. Vulnerability scanning is an automated activity that relies on a database of known vulnerabilities such as CVE/NVD -- scanning vendors maintain more complete databases -- but does not typically include the exploitation of identified flaws. Meanwhile, penetration testing is a more involved process that includes manual probing and exploitation by a security professional in simulate what a real attacker would do. This results in a more accurate evaluation of the risk posed by different vulnerabilities.

Authenticated and unauthenticated vulnerability scans 

Vulnerability scans can be authenticated and unauthenticated, or credentialed and non-credentialed. The non-credentialed scans discover services that are open on a computer over the network and send packets on their open ports to determine the version of the operating system, the version of the software behind those services, if there are open file shares, and other information that is available without authenticating. Based on those details, the scanner searches a vulnerability database and lists what vulnerabilities are likely to exist on those systems.

Authenticated scans use login credentials to collect more detailed and accurate information about the operating system and the software installed on the scanned machines. Some programs might not be accessible over the network but can still have vulnerabilities that are exposed to other attack vectors such as opening maliciously crafted files or accessing malicious web pages. Some vulnerability assessment solutions use lightweight software agents deployed on computers in addition to network scanners to get a better picture of the security state of various systems in the organization.

While authenticated scans collect better information and can therefore discover more vulnerabilities than unauthenticated ones, vulnerability scanning in general generates some false positive results. That's because there might be vulnerabilities that have been mitigated through various workarounds or security controls without installing patches and updating the affected application's version.

Vulnerability scanning can cause network congestion or slow down systems in some cases, which is why they're often performed outside regular working hours when they are less likely to cause disruptions.

The vulnerabilities identified by scanners need to be reviewed, triaged and investigated by security teams and many times vulnerability scanners are part of larger solutions that are designed to assist with the whole vulnerability management process.

Security teams can use penetration testing to validate flaws and determine actual risk much better without simply relying on the severity scores listed in vulnerability databases. Penetration testing also tests the effectiveness of other defenses that might already be in place and could hinder the exploitation of a security issue. According to vulnerability management vendor Rapid7, these are some of the questions security teams should ask when evaluating vulnerability scan results:

  • Is this vulnerability a true or false positive?
  • Could someone directly exploit this vulnerability from the internet?
  • How difficult is it to exploit this vulnerability?
  • Is there known, published exploit code for this vulnerability?
  • What would be the impact to the business if this vulnerability were exploited?
  • Are there any other security controls in place that reduce the likelihood and/or impact of this vulnerability being exploited?
  • How old is the vulnerability/how long has it been on the network?

Web application vulnerability scanners

Web application vulnerability scanners are specialized tools can find vulnerabilities in websites and other web-based applications. While a network vulnerability scanner scans the web server itself, including its operating system, the web server daemon and the various other open services, such as database services running on the same system, web application scanners focus on the code of the application.

Unlike network vulnerability scanners that use a database of known vulnerabilities and misconfigurations, web application scanners look for common types of web flaws such as cross-site scripting (XSS), SQL injection, command injection, and path traversal. They can therefore find previously unknown vulnerabilities that can be unique to the tested application. This is also known as dynamic application security testing (DAST) and is often used by penetration testers.

Web application scanners are used together with static application security testing (SAST) tools, which analyze the actual source code of web applications during the development stage, as part of secure development lifecycles (SDLCs). The Open Web Application Security Project (OWASP) maintains a list of both DAST and SAST tools and runs a benchmarking project for them.

Depending on how they're configured, external web application vulnerability scans can generate a lot of traffic, which can overload the server and lead to denial-of-service and other issues. Because of this, it's common for vulnerability testing to be integrated into DevOps and QA processes via so-called interactive application security testing (IAST) tools that are complementary to SAST and DAST. This helps identify vulnerabilities and insecure configurations before applications are released into production.

Continuous vulnerability management 

When performed monthly or quarterly, vulnerability scans only provide a snapshot in time and do not reflect the security posture of the tested systems in between scans. This can lead to significant blindspots and is why the security industry recommends increasing the frequency of vulnerability scanning as part of an approach called continuous vulnerability management.

The Center for Internet Security (CIS), which maintains the popular CIS Controls recommends weekly or more frequent scans, but increased scanning frequency must be accompanied by increased patching frequency to be effective. CIS encourages organizations to deploy automated software update tools and policies in order to ensure their systems and applications receive the latest security patches as quickly as possible.

Some vendors also offer passive scanners or sensors that continuously monitor the network to identify any new systems or applications that are added to the environment. This allows enterprises to immediately scan those assets and make sure they are free of vulnerabilities before their next network-wide scans are scheduled to run.

Several organizations have issued guidance on vulnerability scanning and management including NIST, US-CERT, the SANS Institute and the UK's NCSC.

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies