The ultimate guide

to vulnerability
scanning

In today’s hyper-connected world, reports of Whether your organization is just starting out on
cyber-attacks and data breaches are commonplace. its journey to becoming more secure or looking
On any given week of the year, you can count on to improve on existing security controls and learn
seeing news reports of the latest cyber incident. more about vulnerability scanning best practices,
this guide has something for you.
With the average total cost of a data breach coming
in at an astounding $3.92 million (according to the In this guide, you’ll learn about: what is vulnerability
latest analysis by IBM), you can understand why scanning, the different types of vulnerability
cyber security is an increasing concern for businesses scanners available, vulnerability scanning frequency
all over the world. best practices, how to choose a vulnerability
scanner, and how to get up and running with your
Vulnerability scanning is a fundamental component
chosen product. So let’s get started.
of all good cyber security strategies, but it can be
complicated, and challenging to get right.
 Table of contents

Intro to vulnerability scanning 3

What is vulnerability scanning? 3

Who needs vulnerability scanning? 4
Vulnerability scanning vs penetration testing? 4

Getting started with vulnerability management 5

What should I scan? 5

Asset management 5
Scoping strategies 6
Exposure-based 6
Sensitivity-based 6
Coverage-based 6

Types of vulnerability scanners 7

Network vulnerability scanners 8

External network scanning 8
Internal network scanning 9
Agent-based scanners 9
Web application scanners 10
The OWASP Top Ten 10
Single page applications 10
False positives 10

Choosing a vulnerability scanner 11

Security issues scanners check for 12

Checking for essential features 13
Reporting 13
Pricing 14
Licencing & discovery scanning 14

2
 An introduction
to vulnerability
scanning

What is vulnerability scanning?

Vulnerability scanners offer an
Vulnerability scanning is, at the simplest level,
the use of software tools to identify and report on
excellent starting point, allowing
security issues (known as vulnerabilities) that affect an organization to identify their
your systems.
most serious and most exposed
Vulnerability scanners often have many thousands
of automated tests at their disposal, and by probing
technical weaknesses so they
and gathering information about your systems, can react before an attacker
can identify security holes which could be used
takes advantage.
by hackers to steal sensitive information, gain
unauthorized access to systems, or to cause general
disruption to your business.
Armed with this knowledge, an organization
looking to protect itself can then take action to
remediate the security weaknesses discovered.
This overall ongoing process of identifying
and fixing your weaknesses is known as
Vulnerability Management.

3
Who needs vulnerability scanning?
News headlines focus on the biggest security breaches, Successful breaches then lead to ransomware attacks,
which usually affect large organizations. So you’d or even a compromise of less-sensitive data (such as
be forgiven for thinking that cyber security is a names and addresses), which can result in an exodus
“big company” problem. However, when it comes to of customers to a competitor, or a hefty GDPR fine.
cyber security, unfortunately, small doesn’t mean safe.
Developing a comprehensive security strategy to
In the UK, a recent survey conducted by Ipsos Mori mitigate these threats is a process that takes years
on behalf of the UK Government concluded that 32% to get right, and it’s one which should constantly
of smaller businesses reported an attack or breach. change and adapt as an organization grows and the
threat landscape evolves. Vulnerability scanners
Whether it’s delivering marketing or blog content via
offer an excellent starting point though, allowing an
a website, operating internet-exposed applications or
organization to identify their most serious and most
services, or simply the laptops your employees use
exposed technical weaknesses so they can react
for work; there’s almost always a range of systems
before an attacker takes advantage.
that could be attacked. All of these systems comprise
an attack surface for hackers to target. In short, every business should understand where
their cyber weaknesses are, and get them fixed.

Vulnerability scanning
vs penetration testing?
Vulnerability scanning isn’t the only way to discover However, manual pen testing performed by
the vulnerabilities that affect your organization’s skilled and qualified professionals can discover
systems – manual penetration testing is also a security issues which are more complex or specific
common way to check your systems. However, the to the business, which require a human level of
two differ quite significantly in what they have to understanding to discover.
offer and how much they cost, so it’s a reasonable
Each has their place, and if budget allows,
question to ask which of these are appropriate
it’s certainly best practice to employ both. However,
for your organization and how often they should
for organizations that are looking to get started
be performed.
with protecting their business for the first time,
Both have their pros and cons. Vulnerability scanning we recommend first setting up a vulnerability
has the advantage that it can be performed scanner and regularly testing your publicly exposed
automatically and continuously at a lower cost, so attack surface. This makes most sense since
that new security issues can be identified soon after penetration testers also use vulnerability scanners
they are introduced. as part of their offering and there’s no point in
paying a professional to tell you something you
Meanwhile penetration testing is usually performed
could have found out for yourself. Even more
on a consultancy basis, and it comes with time
importantly, if you can only run a penetration test
and cost overheads that can slow projects down,
once per year, you remain exposed to configuration
or be prohibitive in terms of how often testing
mistakes and new vulnerabilities in between tests.
is performed.

4
 Getting started
with vulnerability
management

What should I scan?

In order to use a vulnerability scanner, you first need to know what you’re going
to point it at. It might sound simple, but if you’re new to vulnerability scanning,
you might find that there is no central record of the systems your organization
is responsible for. If that’s the case, it’s time to start keeping track – if you don’t
know what you’ve got, you won’t be able to protect it!

Asset management
It’s good practice for organizations to keep a If you’re using modern cloud systems for some of
centralized record of the systems they have your estate, then this may help somewhat, and
under management (commonly referred to as modern vulnerability scanners will be able to hook
Asset Management). Keeping up to speed with your into your cloud accounts to make this process
organization as it grows or changes is essential. seamless. However, you will undoubtedly have some
As new systems go live, or existing ones change systems that are outside this (employee devices and
their IP addresses or domains, keeping your edge routers and firewalls at the very least), so it’s
documentation up to date will help make sure that still a good idea to keep an asset register.
systems don’t fall through the gaps, and miss out
on all the hard work your scanner is putting into
identifying your security weaknesses.

5
Scoping strategies
Now you know what you’ve got, how do you decide what to scan? It’s common
for organizations to deploy a range of systems, from laptops and workstations
in the office or at home, to systems in cloud platforms like AWS, Azure, and
Google Cloud. Deciding what to include in scanning can be hard work, but there’s
multiple ways to tackle it. Here we present three strategies, exposure based,
sensitivity based and coverage based:

Exposure-based Coverage-based
Any of your systems which are publicly accessible After considering what’s exposed to the internet,
over the internet are effectively available for and where your most sensitive data is stored,
attack 24 hours a day. As a result, these systems it’s worth considering that other company systems are
are scanned for vulnerabilities by attackers on a still ripe for an attacker to compromise. Vulnerabilities
constant basis. In fact, even unskilled attackers can exist in any of your systems, and once an attacker
can automatically scan the entire internet for breaches one system, their next move is often to use
weaknesses using freely downloadable tools. that position as a foothold to launch new attacks.
Say for example your company is a tech startup and For example, hackers could breach an employee
offers services over the internet to its customers. laptop by sending emails containing malicious
This could be via a website, or web application, files (or links to malicious websites) that exploit
or anything else hosted online. While access to vulnerabilities on the system they are opened on.
these applications may be secured under normal If a device is successfully compromised, it could be
circumstances, just one weakness or mistake used to scan other systems on the same network,
occurring in one of these systems could lead to an to exploit vulnerabilities on those too. Alternatively,
immediate data breach. As these systems are the information or access to other systems gained from
ones which are being scanned day-in day-out by the laptop may be used in further attacks.
attackers, ideally you need to be doing the same to
For this reason, it often makes sense to attempt to
find those security issues before they do.
cover as many systems as possible, especially where
Serious vulnerabilities on publicly facing systems gaining access to one system could lead to breaching
typically get exploited very quickly. Weaknesses others. Which of these approaches is right for you
can crop up overnight which didn’t exist before, will depend on your business resources, and where
with farreaching consequences. and how your most sensitive data is stored – often,
the right answer will be a combination of all three.

Sensitivity-based
Your company may not have much on the internet
that is sensitive. It could be just that your main
website contains just marketing information, but all
your sensitive customer information is stored in a
central store that’s firewalled off from the internet
somewhere (whether that’s an individual’s laptop,
or a network file share). If the reputation damage
caused by a website defacement doesn’t concern you,
then in this case you may decide it makes more sense
to perform vulnerability scans on the systems where
the sensitive data is stored themselves, to make sure
they are as hardened as possible against attacks.

6
 Types of
vulnerability
scanner

There are many types of vulnerability scanner which

perform different security tasks, and cover off a
Network-based
range of different attack scenarios.
vulnerability scanners
For example, an attacker could break into your
internal network through a vulnerability on an
exposed web server, or through unpatched software
on an employee’s workstation.
Identifying these different attack vectors require
Agent-based
different use-cases of vulnerability scanners,
vulnerability scanners
and each are not always supported, so it’s worth
considering the risks to your business and finding
a scanner that is suitable.
This section goes through the different use-cases
in more detail.
Web-application
vulnerability scanners

7
Network vulnerability scanners
Network vulnerability scanners are so called because they scan your systems
across the network, by sending probes looking for open ports and services, and
then probing each service further for more information, configuration weaknesses
or known vulnerabilities. The way this works can differ, you might install a
hardware appliance inside your network, or deploy a virtual appliance on a virtual
machine, and then run scans from that machine against all others on the network.
One obvious benefit of network vulnerability scanners is that they can be quick
to set up, simply install your scanner and get scanning. They can quickly become
more complicated when it comes to maintenance though, keeping appliances
up to date, and keeping them in-step with changes on your network. This is
especially true the more complicated your networks become, and the number of
scanners you need increases to cover each network segment.

Internal vs External External network scanning

Network scanners are often configured either to An external vulnerability scan is simply one which
scan “internal” networks, or “external” networks. scans your systems from the outside. What this
really means is, the scanner’s probes come from
As a general rule of thumb, the larger and more
an untrusted internet address which is outside of
complex your private networks become, the more
any of your organization’s private networks. They
important it will be to also consider employing
simulate the activities of a remote attacker looking
an internal network scanner that can check your
at which systems and services are offered over the
internal systems for weaknesses that could lead to
internet and start by looking for vulnerabilities on
the compromise of a single system turning into a
your internet exposed systems.
wider breach.
Although the amount of information that can be
Smaller organizations with a much more modern
discovered by these scans can be limited compared
digital footprint may not decide to put internal
to the other types described below, they can also be
scanning in place early on, such as those with all their
very revealing in understanding what attackers can
servers in the cloud and a simple private network for
see. That’s because if an attacker can see a weakness,
internet access only. However, these organizations
it’s highly likely they are going to exploit it.
would still benefit from agent-based internal
scanning, so that vulnerabilities on employee’s Some vulnerability scanners are well set up to deal
devices can be identified for patching. with this situation, and have scanners ready in the
cloud, so no deployment or management of your own
systems are required. They are simply point-and-click.
Others may require you to set up your own scanning
appliance, and manage this on an ongoing basis.
While such services can be cheaper, the overheads
here can sometimes be not worth the difference
in cost.

8
Internal network scanning
Internal network vulnerability scans are designed to Internal scans can be useful for identifying potentially
find weaknesses on systems which do not expose vulnerable devices that were not known about in
ports or services to the internet. advance, as they can sweep a whole network range.
This kind of vulnerability scanning helps to cover off However, they can be highly ineffective at providing
a range of attack scenarios that couldn’t be scanned detailed information unless they are provided with
for by external vulnerability scanners. credentials for logging into systems and querying for
specific patch and configuration data. This is known
For example, if an outdated version of the Firefox
as “authenticated scanning”.
browser is in use on a company laptop, the machine
could be vulnerable to attacks if a user is convinced Authenticated scanning can provide much more
to visit a malicious website. detailed vulnerability information, but it can be tricky
to configure and maintain. For that reason, a popular
Similarly, there may be vulnerabilities in the ports or
alternative is running “agent-based” scanners.
services a device exposes within a private network
(such as weaknesses in the SMB service), which also
could not be discovered by an external scanner.
Internal network-based scanners work broadly in
the same way as external network scanners do,
except the scanning device sits within an internal
network, so services and devices which only
expose themselves within a private network can
be assessed.

Agent-based scanners
Agent-based scanning is performed by installing Both types of internal scanner have their limitations
lightweight software scanners on each device to be and advantages.
covered, which can run local vulnerability scans and
For modern organizations with simple internal
report back to a central server with the results.
networks and the majority of their infrastructure
In the same way as authenticated network scans, in the cloud, an agent-based scanner would be the
this type of scanner can pick up on a wide range of logical choice.
vulnerabilities, including weaknesses in software
For organizations with complex internal networks,
which doesn’t expose ports or services for remote
the choice of which type to go for is a little more
access at all (e.g. a vulnerable version of Firefox).
difficult, and for the most mature organizations -
While it can be a little more time consuming and where budget allows - deploying a combination
installing agents across your digital estate, they have of both types of scanner should be considered.
the benefit that once they are installed they can
For a full discussion on the advantages and
report back even if removed from the network
disadvantages of agent-based and network-based
(such as laptops being taken for home working).
scanners, we’ve written an article which goes into
more depth.

9
Web application scanners
Web application vulnerability scanners are a The OWASP Top Ten
specialized type of vulnerability scanner which
The OWASP project has long since been the go-to
focus on finding weaknesses in web applications
resource for web application vulnerabilities, and
and websites. Traditionally, they work by ‘crawling’
they release a “Top Ten” summary of the most
through a site or application in a similar way as a
common web application flaws every few years.
search engine would, sending a range of probes to
Of the ten issues OWASP lists in the latest version of
each page or form it finds to look for weaknesses.
the document, many are either poorly detected by
Many vulnerability scanners include web application web application scanners, or only certain types of
scanning as part of their offering, although it can be the flaws can be reliably detected.
licensed separately. Others are dedicated purely to
web application scanning, while some vendors include
it along with a range of other checks. Single Page Applications

One thing you might want to look out for is Modern single-page apps are tough for automated
whether the scanner can perform authenticated scanners, as they fail to properly discover and
web application scanning or not. Authenticated generate legitimate application requests to perform
scanning is where the application is scanned past their tests with.
the login page, from the perspective of a malicious
user, or attacker with credentials to log into the app.
False Positives
Due to the amount of business logic and complexity
Verifying whether vulnerabilities are false positives
that goes into making web applications, even the
is a difficult task for an automated scanner to do
very best vulnerability scanners on the market today
effectively, and most do not attempt to do so.
struggle to identify some application flaws effectively,
and they still sadly don’t come close to a human As a result, you may end up trawling through long
expert looking for flaws manually. It’s important to lists of non-issues which could quickly grow into a
understand what they are good at, and what they time-consuming process.
struggle with.
Automated scanners are certainly capable of
They are generally good at identifying straightforward discovering genuine web application security issues,
weaknesses (such as simple SQL injections and but they are unlikely to catch everything and shouldn’t
cross-site scripting flaws). Weaknesses which are be the only defense that’s put in place.
less straightforward to exploit cannot reliably be
Our recommendation is to ensure that web
detected, in particular:
applications are regularly penetration tested,
Access control weaknesses (such as unauthorized including where a web application scanner is in place.
access to information which should require a higher This strategy is a more robust way of discovering a
privileged account) wide range of weaknesses and, if budget allows, it is
a best practice.
• Exposure of sensitive information (scanners can
often discover this information, but can’t always
tell it’s sensitive!)
• Weaknesses in multi-step workflows (such
as multi-page forms) - Weaknesses involving
storing a payload which gets executed elsewhere
(such as persistent cross-site scripting)
• Session-based weaknesses (weaknesses in the
mechanisms used to manage user authentication)

10
 Choosing a
vulnerability
scanner

Choosing the right vulnerability scanner for you can For example, one of the scanners you’re appraising
be difficult, and the range of quality in vulnerability may return more security issues which are false
scanning products is significant and not always positives (issues which the scanner has mistakenly
transparent. You’ll be relying on your chosen scanner identified as a security issue). If you don’t have the
to help prevent attacks daily, so how do you know a ability within your team to verify whether a security
scanner is effective, and how are you supposed to issue is valid or not, then this exercise may not
compare one against another? We’ve included a few be enough.
due diligence tips and best practices below.
It’s also worth noting that there might not be anything
wrong with your systems right now, which reduces
the value of doing this type of comparison of scanners.
Take it for a spin If the systems you’re scanning do not have a wide
range of security problems (that you already know
Most vulnerability scanners offer limited free trials,
about), it will be tough to gauge how good a scanner is.
to give the user a chance to get used to how it
works, and what the features are. This is a great Furthermore, a lot of vulnerability scanners stuff
way to get a feel for the product, its features and their results with ‘Informational’ issues which are not
usability. A logical next step is to run a scan against actually security problems. Watch out for these and
a selection of your own systems and see what remember that a simple comparison of the numbers
comes back. If you’re comparing multiple scanners, of issues each scanner has discovered is missing
it could be good to run them both against the same the point. You’ll likely be interested in which scanner
systems and see what is discovered. Unfortunately, can find the most genuine security problems,
a like-for-like comparison of two or more scanners and the best way to do this is to scan systems which
doesn’t always show a clear picture of how are known to be vulnerable.
they compare.

11
Find out what the scanner can check for
Most vulnerability scanners offer a list of security issues that the scanner
checks for. This can be a good way to help you decide on which scanner is right
for you. By reviewing the scanner’s documentation, you can confirm that it is
capable of checking for security issues in the range of software and applications
which comprise your organization’s digital estate. We’ve listed below some broad
classes of vulnerability which a comprehensive vulnerability scanner should be
able to check for, with some examples:

Vulnerable Software Attack Surface Reduction

This class of vulnerabilities is the biggest category, Some scanners can detect areas where you could
as it includes checks for known weaknesses in all reduce your attack surface. This is the principle
kinds of 3rd party software and hardware. These are of publicly exposing only the core services you
weaknesses discovered by security researchers absolutely need to. External vulnerability scanners
in certain versions a particular technology. can identify ports and services which could
Some examples of these would be a weak version represent a security risk by leaving them exposed to
of a Nginx web server, a vulnerable FTP service or the internet. Some examples of these are: exposed
weaknesses in a Cisco router or VPN. databases, administrative interfaces, and sensitive
services such as SMB.
Web Application Vulnerabilities
These are weaknesses in your web applications. Information Leakage
There’s a wide range of weaknesses which could be This class of checks report on areas where your
used to gain unauthorized access to information, systems are reporting information to end-users
compromise the web server or attack web which should remain private.
application users. Some examples of these would
Not all vulnerability scanners include checks for all
be weaknesses such as SQL injection, cross-site
of the above categories, and within each category
scripting and directory traversal weaknesses.
the number and quality of checks vary too. Some
scanners are focussed on one particular class
Common Mistakes & Misconfigurations of vulnerabilities - for example, web application
These are a class of weaknesses which include vulnerabilities.
identifying software which has been incorrectly A web application focussed scanner wouldn’t
configured, commonly made mistakes, and security necessarily check for infrastructure level flaws, such
best practices which aren’t being followed. Some as known vulnerabilities in the web server in use.
examples of these would be exposed SVN/git If you’re only employing one vulnerability scanner,
repositories, open email relays, and or a web server it’s certainly worth making sure that it can handle
configured to reveal sensitive information. all of the above, so there aren’t any gaps in your
security coverage.
Encryption Weaknesses
A wide range of weaknesses in the encryption
configurations used to protect data in transit
between your users and servers can be identified by
vulnerability scanners. These should include checks
for weaknesses in SSL/TLS implementations, such
as use of weak encryption ciphers, weak encryption
protocols, SSL certificate misconfigurations, and use
of unencrypted services such as FTP.

12
Check for essential features Reporting
The range of vulnerability scanners on the market Reporting is an important factor to consider on
are greatly varied, and each offers a unique set of its own. There are two main uses for a security
features which offer different core functionality and report from a vulnerability scanner: your developers
“nice-to-haves” which are non-essential features and security engineers will use it to fix security
that are designed make your life easier. weaknesses, and you may also need to use it to pass
onto your partners and customers as proof of your
Before choosing a scanner, it’s worth asking yourself
secure practices.
which features are essential for you, and which you
don’t need. Armed with this knowledge, you’ll be It’s important that the security issues detailed in the
able to more easily decide which product to go with. report give remediation advice in clear language
We’ve listed below some scanner features you may that can easily be used to resolve the issue.
wish to consider: Some vulnerability scanning reports are difficult to
read and understand, whilst others present a clear,
concise description of a security issue along with
• Scheduling – can you schedule scans to run out
simple instructions on how to put a fix in place.
of peak hours, or during supported times?
It’s common for prospective customers or partners
• Frequency – how often can you run scans?
to ask for proof of security. When passing on
• Reporting – is the report easy to read and could a security report to a third party, you’ll want to
you pass it on to a customer? make sure you can easily pass on a well-formatted
• APIs – can you programmatically trigger a scan document that clearly details any remaining
after a development cycle? vulnerabilities and gives the reader a good insight
into what’s been tested for. Most vulnerability
• Compliance – is the scanner appropriate for
scanners will allow you to download a report during
your compliance requirements?
the trial period, so don’t forget to take a look.
• Cloud integrations – does the scanner
integrate with your cloud provider
• Proactive scans – can the scanner check your
systems for the latest threats automatically?

Pricing
Price and available budget are always going to be a Comparing price of vulnerability scanners is an
major consideration when choosing a vulnerability area in which it’s worth treading carefully too.
scanner. Cyber security budgets are often tight, The range of software which can be classed as a
and there are a wide range of security products ‘vulnerability scanner’ is vast, and the quality and
and other costs which are competing for the same range of checks they offer varies greatly too.
budget that will be spent on a vulnerability scanner.
If one of the options you are considering is
Thankfully, most vulnerability scanners on the market significantly cheaper than the others, then some
are fairly priced in comparison with what they offer, extra due diligence may be required to make sure
so in general you do get what you pay for. That said, that it’s capable of performing the same range of
some vulnerability scanners are cheaper because security checks as the others you are comparing it to.
they offer a cut-down set of features, which you
might not require, so some shopping around to try
out a few different scanners is time well spent.

13
Licensing and discovery scanning
Most modern vulnerability scanners have a pricing For example, you may have a range of public
model which varies depending on the number IP addresses, such as 1.2.3.4/24, which corresponds
of systems you’d like to cover. Pricing will vary to 256 IP addresses. The chances are that not all of
depending on the type of scanner you’re using, these are in use, and you may wish to save on costs
and which features you require, but broadly, you’ll be by only paying for vulnerability scanning licenses for
charged depending on the size of your digital estate the systems which are active.
and how many systems are being scanned.
This is where discovery scanning can be useful.
As we touched on in the ‘Defining the scope’ section You can run a simple scan on your range of IPs to
above, some organisations may have difficulty discover which respond – those that don’t respond
answering the question “how many licenses do we to probes on any port are either inactive or are not
need?” at this stage, as they may not know exactly exposed to the scanner, so you won’t need licenses
how many live systems they are responsible for. for those.
This can be a challenge, especially since the answer
Some modern scanners can save licenses for you
to this question may have a significant effect on the
automatically, by running discovery scans and only
cost of the scanner. Many scanners are able to help
using licenses on live systems. This feature can save
with this problem, using what’s commonly known
both time and money, as you can enter all of your
as ‘discovery scanning’. Discovery scanning is a
known IPs, and the scanner will only charge you for
light-touch scan designed to discover which systems
those they are currently live and in use.
are live and which are not.

Finally
We hope you have found some useful information on vulnerability scanning
best practices in this introductory guide by Intruder.

Intruder offers a free trial of our continuous If you have any questions on vulnerability scanning
vulnerability monitoring product, so if you’d best practices or would like to learn more about
like to give our product a spin, you can get Intruder’s comprehensive vulnerability scanner, please
started here. get in touch with the team at contact@intruder.io.

Visit Intruder to learn more and to get your 14-day free-trial intruder.io 14