Automated vulnerability scanners, or AVS, are great. They can quickly scan a vast network for vulnerabilities for a fraction of the cost of bringing in a dedicated security tester. AVS can also be scheduled to do its work in a way that no human can. Furthermore, AVS are outstanding when it comes to scanning large network segments and comparing the result against a predefined security baseline or a previous scan.
Such a scenario could be a web commerce platform that uses an AVS to verify their security posture against the PCI DSS requirements for the sake of staying compliant. AVS can also be used together with change management software to ensure that any configuration changes to a system have been preapproved by the organization. There can also be legal reasons as to why an organization would choose to implement an AVS solution.
A reliable, and updated, AVS is arguably the best way to start off the technical phase of any security test. The use of an AVS will save the security tester valuable time that can be used to manually verify, or to disregard, the AVS findings. Benefits of an AVS:
Limitations of an AVS:
The greatness of AVS aside, it can’t be stated clearly enough that the security tester who hands in a report generated by an AVS as her final report has probably misunderstood her job. A security tester will only provide appropriate value to her clients if she takes the time, and has the necessary skills, to manually verify and explain the AVS findings. She also needs to be able to read between the lines of an AVS report to find further security issues.
Despite recent advances in artificial intelligence, we have yet to see an AVS than can be plugged-and- played into the network to automatically find and report security weaknesses. Maybe we will live to see the day when all security testers are made jobless by a generation of über smart automated vulnerability scanners - but until then, we’ll need to verify their findings manually.
Tags: #vulnerabilityscanners #AVS #penetrationtesting