Vulnerability Scanning
Checking access...
Vulnerability scanning is the automated process of identifying security weaknesses in systems, applications, and networks. It is the foundation of any vulnerability management program.
Types of Vulnerability Scans
1. Authenticated vs. Unauthenticated
| Aspect | Unauthenticated | Authenticated |
|---|---|---|
| Access | No credentials — external view | Credentials provided — full internal view |
| Visibility | Open ports, services, banners | OS version, installed software, missing patches |
| False negatives | High — misses internal vulnerabilities | Low — sees the full picture |
| Network impact | Low | Moderate (credentialed checks use more resources) |
| Best for | External perimeter assessment | Internal patch compliance, configuration audit |
# Unauthenticated scan with nmapnmap -sV -sC -p- 10.0.0.0/24
# Authenticated scan with Nessus (via API)curl -X POST "https://nessus.example.com/scans" \ -H "X-ApiKeys: accessKey=KEY; secretKey=SECRET" \ -d '{ "uuid": "ad629e16-03b6-8c1d-cef6-ef8c9dd3c658", "settings": { "name": "Authenticated Scan — Linux Servers", "enabled": true, "launch": "ONETIME", "text_targets": "10.0.1.0/24", "credentials": { "ssh": { "username": "scanuser", "password": "scanpassword", "sudo": true, "elevate_privileges": true } } } }'2. External vs. Internal
| Aspect | External | Internal |
|---|---|---|
| Perspective | Internet attacker | Internal user/employee |
| What it finds | Exposed services, WAF bypass, SSL issues | Missing patches, local privilege escalation |
| Frequency | Weekly (critical), monthly (standard) | Monthly (critical), quarterly (standard) |
| Regulatory | PCI DSS: quarterly external + after changes | PCI DSS: quarterly internal + annual |
3. Network vs. Application vs. Container
Network Scanning: └─ Finds: Open ports, running services, outdated protocols └─ Tools: Nessus, Qualys, OpenVAS, nmap └─ Frequency: Weekly for critical, monthly for standard
Application Scanning (DAST): └─ Finds: SQLi, XSS, CSRF, authentication flaws └─ Tools: OWASP ZAP, Burp Suite, Acunetix └─ Frequency: Every build in CI/CD + quarterly full scan
Container Scanning: └─ Finds: Vulnerable base images, malware in images └─ Tools: Trivy, Clair, Snyk, Docker Scout └─ Frequency: Every image build, before deploymentCVSS Scoring
The Common Vulnerability Scoring System (CVSS) provides a numerical score (0-10) for vulnerability severity.
CVSS v3.1 Metrics
Base Score Metrics: └─ Attack Vector (AV): Network, Adjacent, Local, Physical └─ Attack Complexity (AC): Low, High └─ Privileges Required (PR): None, Low, High └─ User Interaction (UI): None, Required └─ Scope (S): Unchanged, Changed └─ Confidentiality (C): High, Low, None └─ Integrity (I): High, Low, None └─ Availability (A): High, Low, None
Score Ranges: └─ 0.0: None └─ 0.1-3.9: Low └─ 4.0-6.9: Medium └─ 7.0-8.9: High └─ 9.0-10.0: CriticalCVSS calculation example — Log4Shell (CVE-2021-44228):
Attack Vector: Network (0.85)Attack Complexity: Low (0.77)Privileges Required: None (0.85)User Interaction: None (0.85)Scope: Changed (1.0)Confidentiality: High (0.56)Integrity: High (0.56)Availability: High (0.56)
Base Score: 10.0 (CRITICAL)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HVulnerability Scanning Frequency
Recommended Scan Frequency:
High-Risk Assets (Internet-facing, PII, critical infrastructure): └─ External scan: Weekly └─ Internal scan: Weekly └─ Container scan: Every build └─ Web app DAST: Every deployment └─ Configuration scan: Continuous (CSPM)
Medium-Risk Assets (Internal systems, non-PII): └─ External scan: Monthly └─ Internal scan: Monthly └─ Container scan: Weekly └─ Web app DAST: Monthly
Low-Risk Assets (Development, test, isolated): └─ External scan: Quarterly └─ Internal scan: Quarterly └─ Container scan: Per release └─ Web app DAST: Per releaseFalse Positive Management
False Positive Sources: └─ Scanner misidentifies service version (banner grabbing inaccuracies) └─ Vulnerability present but not exploitable in context └─ Compensating control mitigates the risk (e.g., WAF blocks SQLi) └─ Scanner lacks context (e.g., reports missing patch but server is container)
FP Handling Process: 1. Scan runs → vulnerability reported 2. Analyst reviews finding + context 3. Determines: True positive, False positive, or Accepted risk 4. Document decision in ticketing system 5. Update scanner with exception (if applicable) 6. Re-verify on next scan cycle
FP Rate Targets: └─ Initial scan: 30-50% false positive rate (expected) └─ After 3 months tuning: < 15% false positive rate └─ Mature program: < 10% false positive rateTools Comparison
| Feature | Nessus Pro | Qualys | OpenVAS | Rapid7 |
|---|---|---|---|---|
| Price | $3,000/year (5 IPs) | $0.15/IP/year | Free | $3,000/year |
| Auth scanning | Excellent | Excellent | Good | Excellent |
| Compliance checks | CIS, PCI, HIPAA | CIS, PCI, HIPAA | Limited | CIS, PCI, HIPAA |
| Container scanning | Yes | Yes | No | No |
| Web app scanning | Basic | Yes (WAS) | No | Yes (AppSpider) |
| API | REST API | REST API | XML-RPC | REST API |
| False positive rate | Low | Low | Moderate | Low |
| Deployment | On-prem/Cloud | Cloud | On-prem | On-prem/Cloud |
Key Takeaways
- Authenticated scanning provides significantly better coverage than unauthenticated — internal view shows installed software, missing patches, and configuration issues that external scanning misses
- CVSS scores provide a standardised severity rating but have limitations — they measure technical severity, not business risk
- High-risk assets (internet-facing, PII) need weekly scanning at minimum — low-risk can be quarterly
- False positives are inevitable but manageable — a mature program achieves < 10% FP rate through systematic triage and tuning
- Container scanning must be integrated into the CI/CD pipeline — scanning running containers is too late
- PCI DSS mandates quarterly external and internal scans plus scans after significant changes
- Vulnerability scanning is a foundation but cannot find everything — combine with penetration testing for business logic flaws
- Modern scanning tools provide APIs for automation — integrate scanner output with SIEM, ticketing, and patch management
Scanning in CI/CD Pipelines
Integrating vulnerability scanning into CI/CD shifts detection left — finding issues before they reach production:
Pipeline Scan Stages
Commit Stage (per commit, <5 minutes): └─ IaC scanning: Checkov scans Terraform/CloudFormation for misconfigurations └─ Container base image scan: Trivy scans Dockerfile FROM image └─ Dependency scan: Snyk/Grype scans package.json, requirements.txt, pom.xml └─ SAST: Semgrep scans source code for vulnerabilities
Build Stage (per build, <10 minutes): └─ Container image scan: Trivy/Grype scans the built container └─ SBOM generation: Syft generates CycloneDX SBOM └─ Secret scan: TruffleHog/Gitleaks scans for hardcoded secrets
Deploy Stage (per deployment): └─ DAST: OWASP ZAP scans the deployed staging environment └─ Compliance scan: InSpec/Chef Compliance checks against CIS benchmarks └─ External scan: Temporary cloud-based scanner tests from external perspective
Production (continuous): └─ Feed scan results to SIEM for correlation with other events └─ Monitor for new CVEs affecting deployed software versions (SCA continuous monitor) └─ Agent-based scanning (CSPM agents on cloud workloads)CI/CD Integration Example (GitLab CI)
vulnerability-scan: stage: test script: # Container scan with Trivy - trivy image --severity CRITICAL,HIGH --exit-code 1 $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
# Dependency scan with Grype - grype dir:. --only-fixed --fail-on high
# Generate SBOM - syft dir:. -o cyclonedx > sbom.cdx.json
artifacts: reports: container_scanning: gl-container-scanning-report.json dependency_scanning: gl-dependency-scanning-report.jsonContainer Scanning Deep Dive
Containers present unique scanning challenges because they bundle an entire OS + application stack:
What Container Scanners Check
| Layer | What’s Checked | Example Finding |
|---|---|---|
| Base image | OS packages (apt, yum, apk) | CVE-2024-xyz in libssl.so (Ubuntu 22.04) |
| Application dependencies | npm, pip, maven, go modules | Prototype pollution in lodash@4.17.20 |
| Configuration | Insecure defaults, hardcoded secrets | Application running as root; DB password in env var |
| File permissions | World-readable sensitive files | /etc/shadow has 0644 permissions |
| Malware | Known malware signatures | Crypto miner binary detected in image layer |
Container Scanning Tools Compared
Tool | Speed | Depth | Formats | Integrations------------|---------|---------|-----------------------------|---------------------Trivy | Fastest | Good | Container, FS, Repo, SBOM | Docker, K8s, CI/CDGrype | Fast | Good | Container, FS, SBOM | Docker, K8s, CI/CDClair | Medium | Good | Container | Quay, CoreOSSnyk | Medium | Best | Container, FS, IaC, Code | All major platformsAnchore | Medium | Best | Container, SBOM | Docker, CI/CDDocker Scout | Fast | Good | Container | Docker Hub, CLICI/CD Container Scan Gate
# Fail the build if critical vulnerabilities are present# (that have a fix available)trivy image \ --severity CRITICAL,HIGH \ --exit-code 1 \ --ignore-unfixed \ my-app:$BUILD_TAG
# Generate detailed reporttrivy image \ --format sarif \ --output trivy-results.sarif \ my-app:$BUILD_TAGCompliance Scanning
Vulnerability scanners also provide compliance checks against industry benchmarks:
CIS Benchmark Scanning
# Nessus CIS compliance scan# Policy: CIS Microsoft Windows Server 2022 Benchmark# Runs 200+ checks against the target
# OpenSCAP — open-source compliance scanneroscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_cis \ --results scan-results.xml \ --report scan-report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
# InSpec — compliance as codeinspec exec cis-windows-server-2022-baseline \ -t winrm://Administrator@target-host \ --reporter html:inspec-report.htmlCompliance Framework Mapping
| Framework | Required Scan Type | Frequency | Max Acceptable Risk |
|---|---|---|---|
| PCI DSS v4.0 | External + Internal network scans | Quarterly + after changes | CVSS < 4.0 (or documented compensating control) |
| HIPAA | Risk analysis (includes scanning) | Annual + after changes | All findings must be addressed or accepted |
| SOC 2 | Vulnerability scanning | Quarterly | Defined in organisation risk appetite |
| ISO 27001 | Vulnerability scanning | Monthly + after changes | All critical/high findings must be remediated |
| NIST 800-53 | Continuous monitoring + scanning | Monthly | RA-5: scan findings addressed per severity SLA |
Vulnerability Scanning Metrics
Key Metrics to Track: └─ Scan coverage: % of assets scanned in the last 30 days Target: > 95% of all assets └─ Mean time to scan: Time from scan trigger to results available Target: < 4 hours for standard scan, < 1 hour for critical └─ Vulnerability density: Findings per asset Target: < 10 critical/high per internet-facing asset └─ Recurring findings: Same vulnerability reappearing after "fix" Target: < 5% recurrence rate (indicates process failure) └─ Scanner health: % of scheduled scans that completed successfully Target: > 98% scan completion rate └─ False positive rate: % of findings marked as false positive Target: < 10% (mature program), < 20% (developing program) └─ Time to remediate: Mean time from finding to fix Target: Critical < 7 days, High < 30 days, Medium < 90 daysKey Takeaways
- Vulnerability scanning is the foundation of any vulnerability management program — without visibility into your vulnerabilities, you cannot prioritise or remediate
- Authenticated scanning provides significantly better coverage than unauthenticated — internal view shows installed software, missing patches, and configuration issues that external scanning misses
- CVSS scores provide a standardised severity rating but have limitations — they measure technical severity, not business risk or likelihood of exploitation
- High-risk assets (internet-facing, PII) need weekly scanning at minimum — low-risk can be quarterly
- False positives are inevitable but manageable — a mature program achieves < 10% FP rate through systematic triage and tuning
- Container scanning must be integrated into the CI/CD pipeline — scanning running containers is too late; scan at build time, before deployment
- CI/CD integration enables shift-left scanning: IaC scanning (commit) → container scanning (build) → DAST (deploy) → compliance scanning (continuous)
- Compliance frameworks mandate scanning at specific frequencies (PCI DSS quarterly, HIPAA annual, ISO 27001 monthly) — scanning schedules should align with the strictest applicable framework
- Track scan metrics (coverage, density, recurrence, scanner health, FP rate, time to remediate) to measure program effectiveness
- Modern scanning tools provide APIs for automation — integrate scanner output with SIEM, ticketing (Jira, ServiceNow), and patch management tools
- Compliance scanning (CIS benchmarks, OpenSCAP, InSpec) extends traditional vulnerability scanning into configuration auditing — ensuring systems are not just patched but also securely configured
- The vulnerability scanning landscape is evolving: agent-based scanning, cloud-native scanning (AWS Inspector, Azure Defender), and container-native scanning (Trivy, Grype) complement traditional network-based scanners