Systems containing customer information should undergo vulnerability scans regularly. Issues should be documented in accordance with your change management policy. At the very least, critical and high issues should be remediated in a timely manner.
External Vulnerability Scan
An external vulnerability scan targets an organization's externally facing technology, such as the company web application, API, website, email servers, and firewalls. The purpose of this scan is to identify vulnerabilities that could be exploited by external threats, such as hackers or malicious software. These scans mimic the actions of potential attackers, identifying weaknesses in networks, systems, and applications that are accessible via the internet. They help ensure that any public-facing component of your IT infrastructure is secure and resistant to known vulnerabilities.
For external vulnerability scanning, open source and commercial tools can be found here. Moreover, Dynamic Application Security Testing (DAST) tools, which are relevant to external vulnerability scanning, can be found here.
Internal Vulnerability Scan
An internal vulnerability scan, on the other hand, focuses on identifying vulnerabilities from within the organization's internal network. This scan aims to identify vulnerabilities that might be exploited by an insider threat or malware that has already penetrated the network perimeter. The internal scan can reveal vulnerabilities in network infrastructure such as servers, workstations, or other devices connected to your network. Or reveal vulnerabilities in the company’s software product code. It can help you understand the potential damage an insider or a malicious program could cause if they gained access to your network.
For internal vulnerability scanning, some cloud service providers (CSP) have native services such as AWS Inspector for AWS, Microsoft Defender for Azure, and/or Web Security Scanner for GCP. Other tools to consider are SonarCloud, SnykAcunetix, Burpe Suite (by PortSwigger), and Zaproxy.
We also recommend performing code security testing on in-scope production code. Here are some recommended tools based on the what you use for software development:
- For GitHub, utilize the built-in and open source tool CodeQL to query your code and find vulnerabilities. Dependabot can also be used with GitHub.
- For Gitlab, the CI/CD suite can performing various types of scans including Static Application Security Testing (SAST), and API fuzzing.
- For CircleCI, there are several ways to integrate leading DevOps security tools that conduct code scans.
In summary, external vulnerability scans help protect your organization from threats outside your network, while internal vulnerability scans help protect from threats that are already inside or have found a way into your network. Both types of scans are necessary components of a comprehensive security strategy, providing a full picture of your organization's vulnerability landscape.