Those of us who live and breathe information security on a daily basis understand that vulnerability scans are only part of the information security assessment equation. We can’t live without them but as I’ve outlined here we by all means cannot rely on them completely.
I was just speaking with a colleague about this and came up with an analogy for our overdependence on external vulnerability scans in the name of PCI DSS, lack of funds to do it right or whatever the excuse du jour: Relying solely on basic unauthenticated vulnerability scans to find all the security problems on your network is like depending on a home inspector to check out your new diggs from his automobile on the street. He may be able to find some issues with the porch, roof, siding or driveway – especially if he’s got a good set of binoculars – but he’s certainly not going to see what’s really taking place on the inside. Vulnerability scans are no different, especially in the case of Web applications.
Moral of the story: Don’t trust that external vulnerability scans will show you where your network security truly stands. It’s shortsighted and will bite you when you least need/expect it. And, if the breach ends up in a lawsuit or going to court, it’ll most certainly be brought out by the lawyers and their expert witness that due diligence was started but not performed up to par.
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”