Vulnerability Assessment: Security Scanning Process
by Harshit Agarwal
Until the late 1990s and early 2000s, there weren’t a lot of security vulnerabilities to talk about. In the year 2000, there were only as many as 1,020 known vulnerabilities. As far as their security scanning and remediation are concerned, they were mostly done manually.
Even if scanned by some standard security software, the reported vulnerabilities would get analyzed again by some IT experts for validity and accuracy purposes. Later the vulnerabilities would go through IT department heads and after their approval, system admins would remediate them and test again to verify the results.
Fast forward 2020, and you would find that more than 100,000 vulnerabilities are listed on the CVE (Common Vulnerabilities and Exposures) website! No doubt, it’s getting difficult to handle these many vulnerabilities for organizations of every size and scale.
Moreover, with more and more businesses starting to use modern solutions like IoT, AI, cloud, and other open-source software, the magnitude of such security vulnerabilities is expected to explode even further.
So, what’s the most viable solution under these circumstances? What should organizations do to detect security vulnerabilities at a fast pace and set forth mitigation strategies? For smart businesses, the most efficient and recommended solution to such security threats is vulnerability assessment.
What is Vulnerability Assessment?
Vulnerability assessment is a thorough testing process that is generally used to identify security threats or defects in a given system and assign severity levels to the identified threats. The process can be automated or done manually depending upon the coverage and the rigor of the assessment. Using this technique, organizations generally get informed about their security loopholes and the associated mitigation strategies to reduce the threat of any security compromise.
A security vulnerability is generally of two types:
- A flaw in the software architecture or a bug in the code which might be exploited to cause a breach.
- A weakness in the security procedures or a gap in internal controls that can be exploited later.
Depending on the type of security risk, a vulnerability assessment targets various layers of the security infrastructure like the network, host, or database or application for the detailed analysis of the security risks.
Types of Vulnerability Assessment
A vulnerability assessment efficiently highlights several kinds of security issues ranging from business logic and leakage of sensitive data to exposure of information due to API vulnerabilities, compromised databases, and third-party libraries. All this security coverage is possible because there is a specific type of vulnerability assessment for each and every threat vector. Let’s take a look at them.
Some of the Different Types of Vulnerability Assessment are:
- Host-Based Scans
The host-based vulnerability scans work on the client and server model. Here the assessment is performed by the client and the report is sent back to the server or manager.
The host-based vulnerability scanners are installed on the system’s required hosts whose monitoring is required. The host-based scanning tools provide useful insights regarding the level of damage that can be caused by threat actors once a certain level of access is gained or provided to them.
- Network-Based Scans
In the case of network-based vulnerability assessments, event-driven, distributed, or automated assessments of network systems, mail servers, operating systems, switches and routers, firewalls and applications takes place, and required remediation is sought.
Many of the network-based scanners are based on what is known as “Stack Fingerprinting”. In stack fingerprinting, various characteristics of the TCP/IP stack are identified on a remote host. This is done by matching the packets sent in response whenever a condition is initiated by the assessment tool.
- Database-Based Scans
We know how sensitive databases can be in terms of security as they hold sensitive user and business information. The vulnerability assessment for databases scans potentially risky database management systems for any possible security threat. Using these scans, attacks like SQL injection and command injection can be prevented.
- Application-Based Scans
Application-based vulnerability scanners automate the assessment of web applications in order to search for security vulnerabilities like SQL injection, Cross-site scripting, Path Traversal, Command Injection, and other insecurities related to server configuration. The tools which are used for application-based scans are generally referred to as DAST (Dynamic Application Security Testing) tools.
- Security Scanning Process
Coming to the security scanning process, it generally consists of three steps, namely SAST, DAST, and API testing. These three steps together make sure that a comprehensive security assessment framework is established for all the vulnerable resources.
SAST (Static Application Security Testing)
SAST or Static Application Security Testing is a testing method where an application is tested from the inside out and the tester has access to the application’s underlying design, framework, and implementation.
In SAST, a deployed application is not required as it assesses the binaries and source codes without the execution of the application. SAST can be executed as soon as the code is flagged as feature-complete. Using SAST, vulnerabilities can be found earlier in the SDLC and because of this, a lot of time and effort is saved.
How does it Work?
SAST is conducted using the developer approach where the application is first uploaded on the testing framework and static testing is done to cover all the code level tests and other checks. The analysis is not performed in a run-time environment and the scan happens before the code is compiled.
Also known as white-box testing, in SAST, the static analysis tool inspects the source code to track the possible run-time behavior and find out the pieces of malicious code and other flaws.
DAST (Dynamic Application Security Testing)
DAST or Dynamic Application Security Testing is purposefully designed to assess an application for security vulnerabilities while it is in the running state. In the case of DAST, the application is tested from the outside in and the tester doesn’t have knowledge about the framework or the technology on which the application is built. In DAST the vulnerabilities are identified towards the end of the SDLC.
- How does it Work?
DAST works using the hacker’s approach and in the run-time environment. In DAST, real-time interactions between the users and the application are analyzed by executing the application and run-time vulnerabilities are found. The DAST tools catch security loopholes in the application and prevent network threats including MiTM (Man-in-the-Middle) attacks.
API Security Testing
API testing is the assessment of network-exposed APIs which are a part of the organization’s infrastructure. It can be considered as the inside out testing of the server-side of an application. Fully automated API security testing tools generally perform a complete analysis of single or multiple API endpoints to validate the responses regarding performance, functional correctness, and security.
- How does it Work?
An API testing tool conducts a dynamic scan to highlight all the APIs captured in the system and initiates the testing on the API endpoints. The scanning usually takes time depending on the number of endpoints selected. Some of the common test cases that are covered in standard API tests include Command Injection Vulnerabilities in HTTP Requests, Buffer Overflow Vulnerabilities in HTTP Requests, Cross-Site vulnerabilities, SQL Injection, and others.
Choosing the Right Vulnerability Assessment Tools
Given the complexity of the vulnerabilities and other business requirements, it becomes essential to choose the right vulnerability assessment tool for your system. Let’s take a brief look at some of the features of these tools you must consider before selecting the best solution for your business.
One of the most important questions you should ask your VA (Vulnerability Assessment) vendor is whether their solution supports integration with your existing resources. Efficient VA tools easily integrate with the cloud and other virtual environments, existing security solutions like IDS/IPS and network topology tools, enterprise ticketing systems like Jira or ServiceNow, and automation and orchestration solutions among others.
- Ease of Use
When it comes to VA solutions, flexibility and ease of use should be one of the topmost priorities. The tools which are easy to operate and come with a user-friendly interface are generally more preferable than the others. Without a doubt, a product that is difficult to operate and presents confusing solutions won’t be utilized to its full potential. Even a VA solution that requires a lot of maintenance becomes a burden for the employees.
- False Positives
False Positives generally occur when a VA tool flags any security threat which is not there in the system. It might seem to be some kind of a proactive approach where even the slightest possibilities of a security threat are detected.
But in the real scenario, these false positives tend to disrupt the overall vulnerability assessment process. Suppose if the first few vulnerabilities are false positives, then the tester would assume that all the upcoming vulnerabilities are also false positives and will ignore the rest of them. So, it’s better to go for a VA tool which is known to be precise in terms of flagging vulnerabilities as false positives.
- Accurate and Swift Findings
One of the most important requirements of a VA tool is to be accurate with the findings. If the accuracy of the tool is not proper, it would produce testing errors like overlooking a present vulnerability (false negative) and flagging a vulnerability that is not there (false positive). You won’t want any of these scenarios.
Moreover, it’s crucial for a vulnerability assessment tool to detect threats swiftly so that the threat actors don’t get enough time to fool around with the sensitive data in the system.
- Payback Period (Return on Investment)
If you are going through the expense of having a vulnerability assessment tool for your business, you might as well lookout for an option that gives decent returns on your investment (ROI). After taking every possible cost into account and all the expected gains, you must move forward with the option where the payback period is low and the ROI is significant as compared to the other VA vendors.
- CXO Dashboard for Reporting
Even a simple vulnerability assessment scan can generate an overwhelming quantity of data. That is why it becomes important to be able to pick up only the required information and present it in the form of a clear and actionable dashboard for reporting. It is also important to check if the VA solution provides a combined view of vulnerabilities, asset information, and configurations so that it becomes easier for the CXOs to make smart business decisions. The option of customizable dashboards should also be there in the solution.
Open Source vs Commercial Vulnerability Assessment Tools
When it comes to selecting the most viable tool for vulnerability assessment, businesses often face a dilemma between open source vs commercial tools. So let’s take a brief look at the pros and cons of each and try to understand the difference.
- Open Source Tools:
The obvious plus point while using any open-source vulnerability assessment tool is that it has no upfront costs. Other pros include flexibility, ease of use, and regular improvements due to a large contributing community. Moreover, for those diving into the world of vulnerability assessment for the first time, it is an easy way to go with the user-friendly open-source tools.
However, added flexibility also comes with reduced reliability of these tools, and also they are weaker on the reporting side of things. Moreover, it is difficult to scale up your testing infrastructure using open source tools and you are also supposed to face compliance issues.
- Commercial Tools:
Probably one of the best things about using a commercial vulnerability assessment tool is the continuous technical support you get along with the product. Moreover, due to expansive research and development teams, these tools offer a wide security coverage and are also much superior in terms of CXO dashboarding. The cons include high upfront and maintenance costs, limited customization options, and a higher number of dependencies.
Given the rise in security vulnerabilities due to a shift towards technology-intensive work environments, it has become imperative for business leaders to make smart decisions in terms of security and adopt the recommended security practice of vulnerability assessment.
Be it open-source or any other commercial VA tool, it’s important that it should match the functional requirements of your security infrastructure and stand true to your expectations. Moreover, you must focus on upskilling your in-house teams beforehand so that they are able to manage, configure, and get the best out of the VA tool you finally choose to implement.
About the Author
Harshit Agarwal is a serial entrepreneur, passionate about end-to-end mobile app security. As a Microsoft Venture Accelerator alumni and CEO of Appknox, he works with enterprises globally ranging from some of the top Fintech companies to Fortune 100 businesses in setting up continuous mobile application security processes.