Vulnerability scanning May 12, 2014 by tal Any company that has a web presence faces threats on a daily basis. A well-prepared and executed security plan can prevent these attacks, but as new threats and vulnerabilities are found on a daily basis, it is critical that companies keep the most up-to-date security and vulnerability database. It is also critical that all newly-developed or newly-added applications are scanned for vulnerabilities as these applications could potentially allow a malicious attacker to gain unauthorized access to the network. This could put sensitive company information, financial records, company assets, and confidential client, customer and employee information at risk. Differences between vulnerability scan and penetration test Both methods are used to find vulnerabilities in the company infrastructure, but there are a few differences. A vulnerability scanner takes a list of known vulnerabilities and scans the entire system searching for these specific vulnerabilities. If a vulnerability is found, it must be patched immediately and the scan performed again to ensure that the threat is gone. Vulnerability scans are critical to company security, as many of the vulnerabilities found by the scanner can be found and exploited by anyone. There are numerous network scanners and other tools that can aide “script kiddies” (attackers with little-to-no hacking experience) in a successful attack on the company system. A penetration test (or pentest) is an authorized attack on the company networking system. This probes all areas that could potentially be attacked, including outside the network, as well as inside the network. Third-party applications are tested as well, since they could be used to gain unauthorized access to the system. Pentests are typically performed in conjunction with web vulnerability scans in order to provide the company with the best analysis possible. How often should vulnerability scanners be used? Vulnerability scans should be performed on a continuous basis, especially after the installation of new software or third-party applications. Vulnerability scanners are simple to operate, and the scans can even be programmed to be automated. They can be operated by the company IT staff: this helps reduce costs from outside security professionals by utilizing the resources of in-house workers. However, if a penetration test is scheduled to take time simultaneously, it may be useful to have the outside security professional handle both tasks in order to give the best analysis possible. However, penetration tests can be performed as little as once per year, while vulnerability scans should take place on a frequent basis.