Vulnerability Scanning is an automated process used as part of an information security program to determine weaknesses in a computer, IT network, or applications. Vulnerability scanning may be performed by an organization’s IT or security team, or by an outsourced provider. The process uses a vulnerability scanning application or software to detect vulnerabilities—or flaws in systems, software, or applications that can be exploited—by comparing found vulnerabilities to a database of known security issues, generally the Common Vulnerability Scoring System (CVSS). The CVSS is very helpful for benchmarking but does not take into account an organization’s unique environment. In addition, a vulnerability scan is only as good as the input data, therefore, organizations should check for the most up to date data before running a scan.
Free and commercial vulnerability scanners are available, and attackers may also use them to find and exploit vulnerabilities on a target’s system. Vulnerability scanning is just one method of finding an organization’s security weaknesses and should supplement rather than replace other proactive methods of flaw finding, including penetration tests, red teaming, and running tools like IDS/IPS and a SIEM.
Get the DeMISTIfying InfoSec newsletter every Tuesday!