Those of us who live and breathe information security on a daily basis understand that vulnerability scans are only part of the information security assessment equation. We can’t live without them but as I’ve outlined here we by all means cannot rely on them completely.
I was just speaking with a colleague about this and came up with an analogy for our overdependence on external vulnerability scans in the name of PCI DSS, lack of funds to do it right or whatever the excuse du jour: Relying solely on basic unauthenticated vulnerability scans to find all the security problems on your network is like depending on a home inspector to check out your new diggs from his automobile on the street. He may be able to find some issues with the porch, roof, siding or driveway – especially if he’s got a good set of binoculars – but he’s certainly not going to see what’s really taking place on the inside. Vulnerability scans are no different, especially in the case of Web applications.
Moral of the story: Don’t trust that external vulnerability scans will show you where your network security truly stands. It’s shortsighted and will bite you when you least need/expect it. And, if the breach ends up in a lawsuit or going to court, it’ll most certainly be brought out by the lawyers and their expert witness that due diligence was started but not performed up to par.