Automated Vulnerability Scanners
Learn About Automated Vulnerability Scanners And When To Use Them

Automated vulnerability scanners, or AVS, are great. They can quickly scan a vast network for vulnerabilities for a fraction of the cost of bringing in a dedicated security tester. AVS can also be scheduled to do its work in a way that no human can. Furthermore, AVS are outstanding when it comes to scanning large network segments and comparing the result against a predefined security baseline or a previous scan.

Such a scenario could be a web commerce platform that uses an AVS to verify their security posture against the PCI DSS requirements for the sake of staying compliant. AVS can also be used together with change management software to ensure that any configuration changes to a system have been preapproved by the organization. There can also be legal reasons as to why an organization would choose to implement an AVS solution.

A reliable, and updated, AVS is arguably the best way to start off the technical phase of any security test. The use of an AVS will save the security tester valuable time that can be used to manually verify, or to disregard, the AVS findings. Benefits of an AVS:

  • Cost efficient.
  • Can quickly cover large network segments.
  • Can be scheduled to non-business hours.
  • Relatively easy to install on the network.
  • Covers many vulnerabilities that can be too time consuming to find manually.

Limitations of an AVS:

  • Will report false positives.
  • Will report false negatives.
  • Alas, findings will many times have to be manually verified.

The greatness of AVS aside, it can’t be stated clearly enough that the security tester who hands in a report generated by an AVS as her final report has probably misunderstood her job. A security tester will only provide appropriate value to her clients if she takes the time, and has the necessary skills, to manually verify and explain the AVS findings. She also needs to be able to read between the lines of an AVS report to find further security issues.

Despite recent advances in artificial intelligence, we have yet to see an AVS than can be plugged-and- played into the network to automatically find and report security weaknesses. Maybe we will live to see the day when all security testers are made jobless by a generation of über smart automated vulnerability scanners - but until then, we’ll need to verify their findings manually.

Robert Svensson

Tags: #vulnerabilityscanners #AVS #penetrationtesting

2017-10-30 22:18:00

This is the personal website and article collection of me — Robert Svensson. I currently work for Contentful writing about APIs, coding and the future of content management

You can also find out what I'm up to by following me on GitHub, Twitter and LinkedIn. Feel free to send me an e-mail at robert@artandhacks.se