Have you ever wonder if you have perform all the vulnerability scanning for your company? Or do you know how many types of vulnerability scanning are needed for a comprehensive vulnerability management program?
In general, here are what you should budget in your vulnerability scanning capability:
- Network/Host scanning
- Web application scanning
- Cloud scanning
Network/Host scan:
- This is the minimum and most common scan.
- Covering credential and network scans for mostly on-premises infrastructure.
- Eg: Tenable Nessus, Rapid7 InsightVM, Qualys.
Web Application Scan:
- Covering the web applications but not a substitution of penetration testing.
- Scanning methodology includes SAST(white box) and DAST (black box), and need to be configured by subject matter experts.
- Eg: HCL (IBM) Appscan, Rapid7 InsightAppSec, Netsparker Enterprise.
Cloud scan:
- This is very new and cannot be substituted by network/host scan.
- Scanning vulnerability (or misconfiguration) on public cloud, container, and CI/CD pipeline.
- Eg: Prisma Cloud, AquaSec, Netskope Cloud Security, BlackDuck.
Note that, each of these scans are for different purpose, and have a very different classification of vulnerability. I see many have mistakenly use network/host scan to substitute cloud scanning, and give false sense of security.
The traditional network/host scan focus 80% on CVE (missing patch) and 20% on mis-configuration, while the cloud scan will focus 80% on mis-configuration. In another word, under the shift-left principle, the cloud scan will treat an unpatch CVE as a mis-configuration (due to software defined network and automation).