Having spoken to hundreds of CIOs and CTOs of top enterprises as well as growing startups, I've frequently come across some major misconceptions regarding vulnerability scanning. Since the scope of security testing has always been so wide and broad, it's often easy to get caught up in the myths. And sadly, those are things that spread fast.
Getting a full picture of the different possibilities of getting your application hacked can be quite daunting. With the growth of mobile, IoT, etc. the scope and complexity are increasing rapidly. Additionally, hackers are getting more innovative than ever before and technology is actually making things easier for them.
Many companies simply aren't fully aware of the things that could go wrong for them in terms of security. Today's post is to bust a few of those top myths around vulnerability scanning or vulnerability assessments.
What is Vulnerability Scanning?
This term is often confused with penetration testing. So, let's take a quick example to understand what this means.
Imagine you launched a brand new chic looking e-commerce app and you are just starting to get some traction. A few people notice that you are picking the steam. Some good Samaritan comes up to you and says, "This looks great! Make sure you don't get hacked, though." Well, you laugh it off but now this has gotten into your head (and that's a good thing).
The important part in the process of development of any application is to test it for vulnerabilities, see which of those are exploitable in your environment, and finally what risks these vulnerabilities create for your product and your brand.
The first part of identifying vulnerabilities is done through a vulnerability assessment or vulnerability scanning. The second and third parts are penetration testing and risk analysis respectively.
An important thing to note here is that such scanning is done mostly using software which covers tests that are already known to the security community, hackers and other software vendors. Even then, a good vulnerability assessment will help you test your application against a wide range of tests to understand what vulnerabilities exist in your application.
A vulnerability is a weakness in a system’s programming that could allow a hacker entry. They can exist in file permissions, cached files, configuration files, and backup files. Application errors may also lead to vulnerabilities if a transaction is left unfinished or the system crashes and the user remains logged in. Once these vulnerabilities are located, developers can then carry out penetration tests to determine where the weakness resides and if it can be fixed.
Common Misconceptions About Vulnerability Scanning
Misconception 1: Vulnerability Scanning is a test that you pass
Passing a vulnerability scanning test is by no measure a conclusion that all your vulnerabilities have been mitigated. Basically, this means it's not really about passing the test. Any program, device or application usually has a large number of vulnerabilities. Many automated tests will cover most of the commonly found ones. Every time you test your application or program with a new testing system, you might be shocked to see some more vulnerabilities pop up. In fact, this is even more common with manual assessments.
So, gone are the days when you could look smart by saying that your application passed a vulnerability scanning test. The truth is no vulnerability assessment tool or person performing the tests can even find "all" of the vulnerabilities. They usually only test the obvious, more common ones.
You might still say that you've frequently heard products pass a vulnerability test. Well, that this really means is that a vulnerability scanning was performed, results analyzed and then a context-based judgment was made to determine whether the security is adequate or not given the current circumstance. This decision is made by the security manager of the application and never the ones who perform the scanning.
Misconception 2: Vulnerability Scanning only brings bad news
I've heard this first-hand. Once when I was giving a sales pitch to one of the security managers of a larger enterprise company, his CIO was extremely happy with what we reported. But later, the security manager came back to me and told me that this just makes him look like he's bad at his job.
I understand it is hard for people to admit that they have vulnerabilities in what they've built. A developer might feel that or a security researcher or manager. But the thing is, that doesn't mean you do not perform security audits and tests.
The best way to handle such situations is to make your bosses aware that you are taking the extra effort to run the application through multiple different security tests and vendors to ensure you do a much better job overall and that is what is healthy for the company in the long run.
Related topic- Key Tests Every Mobile Vulnerability Scanner Must Perform
You are doing a great job by taking all the safety measures possible. Also, vulnerabilities are not bad news. In fact, they are good. Because now that you are aware of them, you are decreasing your overall risk profile by fixing those problems.
If I build an app, I would be worried if my application doesn't show any vulnerabilities on a scanner. In that situation, I would be determined to test it out with some other vulnerability scanners too.
Misconception 3: Vulnerability Scanning helps eliminate all vulnerabilities
This is something I keep iterating over and over again - one security solution is not going to solve your problem, ever!
Understand that every security solution is designed to address a particular set of threats. Hackers know how to keep hunting for different avenues to break into an application. The bigger reason for never relying on just one security solution is that honestly, you have no idea who is attacking you or where they are coming from or how complex their attacks are.
You cannot keep them away, but you must do everything you can to keep them at bay.
In fact, using multiple security solutions will also not make you completely secure. There is no such thing is completely secure. But using multiple solutions will help you become more aware and prepared for an adverse situation and that is more than half the battle won.
Misconception 4: Automated Security Testing Matches Manual Penetration Testing in Every Aspect
Many organizations these days believe solely in the abilities of automated security testing and overlook manual testing thinking that these two will achieve the same goals. But, that’s not the truth. It’s important to notice that automated security testing is only a primitive scanning process and doesn’t perform thorough penetration testing.
Both the test types have their own pros, but the reason why you should not overlook manual penetration testing is that sometimes machines can’t comprehend the ways in which humans can break into security systems. Creativity, curiosity, and experience are generally at the core of manual penetration testing and these values pick up from where the scope of automated testing ends.
Misconception 5: All Penetration Testing Tools are the Same
The presumption that all the penetration testing tools are built the same and would all the purposes is completely wrong. Each and every tool somehow covers the basic aspects of security testing but a certain level of customization and uniqueness is always required to broaden the scope of testing. That is why testers should use a set of penetration testing solutions to achieve a required level of security.
Well, seems we have busted some of the top myths. If you are planning to perform vulnerability scanning for your application, make sure you do not wait for the entire application to be built and ready. Security assessments should be continuously done, both during development and also in the post-development updates.