Any device that runs software or applications can contain security flaws, known as vulnerabilities. Vulnerabilities are regularly discovered in all sorts of software. Once discovered, malicious individuals or groups move quickly to misuse (or ‘exploit’) vulnerabilities to attack computers and networks in organisations with these weaknesses. Vulnerabilities also have varying degrees of severity and new ones are logged with the NVD (National Vulnerabilities Database) daily.
Manufacturers and developers release regular updates that not only add new features but also fix any security vulnerabilities that have been discovered. Applying these updates (a process known as patching) is one of the most important things you can do to improve the security of your systems.
In this blog post, we determine the vulnerability scanning best practices and consider important factors like the reporting, when to scan, IT team resources and more.
How often should you run vulnerability scans on applications, APIs, and network infrastructure?
According to John Killilea, Technical Director of Checkscan+ and CommSec, the simple answer is “as regularly as you can.” With the abundance of new vulnerabilities found every week, you cannot just simply wait until the end of the month or quarter because you may miss a critical vulnerability. Some organisations believe that monthly or quarterly scans are sufficient, but times have changed, and the risks are becoming more frequent and severe.
2022 – a big year for vulnerabilities
New vulnerabilities or CVEs (Common Vulnerabilities and Exposures) are discovered every day. This year, on average, 2,000 new monthly vulnerabilities were analysed by the NVD. Therefore, it can be difficult to keep on top of new vulnerabilities. New research from Kaspersky suggests that vulnerabilities have now overtaken phishing as the number one risk to businesses. And now we are seeing more severe vulnerabilities more regularly too:
Top vulnerabilities in 2022 so far (Infosec):
- ProxyLogon (CVE-2021-26855)
- ZeroLogon (CVE-2020-1472)
- Log4Shell (CVE-2021-44228)
- VMware vSphere client (CVE-2021-21972)
- PetitPotam (CVE-2021-36942)
Vulnerability Scanning and Reporting
There is a distinction to be made between the actual scanning and the reporting elements of vulnerability management. There are two separate things happening here that come together at the end of the desired period. You can run weekly scans on servers, devices, apps etc but the reporting elements are usually delivered within a manageable period, i.e., monthly, or quarterly. The reason for this is the reports are made up of high-risk and low-risk vulnerabilities to be fixed. To try to patch them all would be exhaustive on the IT team implementing the fixes. So, you need to think about prioritising the high risk (must haves) and having a process in place to remediate the low risks (nice to have) over time. A good reporting service, like CheckScan+, structures the priorities and removes the false positives making life easier for IT teams to implement patching.
Ad hoc Vulnerability Scanning
You may need to do a one-off scan from time to time to validate any changes you make. For example, you made some major changes to your infrastructure. As soon as you completed the changes, and had a stable network, you could do an external and internal vulnerability scan to validate the security.
Vulnerability Scanning and Company Size
In an ideal world, the. Larger organisations may even have dedicated IT security teams to implement vulnerability remediation such as patching. Therefore, you must be mindful to give your team enough time to implement the security patching on the current report before providing them with new information.
Scanning in Application Development
The other thing we need to consider is new applications. While apps are still in development, they may need to be heavily scrutinised and require much more regular scanning. For apps to be built properly, regular scanning should be baked in from the start and at each stage of the SDLC (software development lifecycle). This is know as DevSecOps (short for development, security, and operations) which is a development practice that integrates security initiatives at every stage of the software development lifecycle to deliver robust and secure applications.
Vulnerability Scanning for Compliance
You may be required to run vulnerability scanning to comply with or align with industry rules. For example, in the PSI DSS (payment services industry) vulnerability scanning is required every 90 days or when major changes are made to the business or IT environment (more on that here).
The Best Approach for Security Testing
We believe regular and continuous vulnerability scanning is the way to go. We offer our customers a turnkey service to scan regularly along with reporting on the desired period i.e., weekly, monthly, or quarterly.
For the best approach to modern security testing, we recommend combining regular vulnerability scanning and reporting, with an annual penetration test. The penetration test is a manual deeper dive conducted by a qualified ethical hacker who looks into weaknesses and gaps in your IT environment. It often throws up deeper-rooted issues than an automated vulnerability scan.
In conclusion, the combination of regular vulnerability scanning, and an annual penetration test is the “belt and braces” approach to eliminating risk from your IT environment.
For more information, please contact our sales team at [email protected]