Looking to hop aboard the Web vulnerability scanning bandwagon to see just how vulnerable your Web site or application really is? Well, not so fast. Here are some signs you’re not ready to begin just yet:



1. You don’t have any desired outcomes from your scanning other than a PDF report you can share with management. Put nothing into your scans and you’ll get exactly that.
2. You’re using an outdated, unproven, “free” scanner because people on the Internet said it was good. In terms of learning curve, finding the issues that matter, and reporting, a free scanner is often the costliest tool of all.
3. You haven’t bothered to at least read the included documentation to learn the basics on how to use the scanner. Entering a URL and blindly clicking Go is a surefire way to not only get very little out of what you’re doing but to also create a false sense of security that all’s well if nothing is found.
4. You’re doing it to please someone else – or shut someone else up – and aren’t going to take any real action on the findings. Creating the facade that you’re doing the right thing in the name of “audit” or “compliance” creates more risks than it mitigates.
5. You’ve gotten the impression that all you have to do is look for Web security issues that match the popular top Web vulnerability lists available on the Internet. Just because a certain set of vulnerabilities happen to be the most common doesn’t mean you’ll have them nor does it mean you won’t have extensive issues beyond them.
6. You’re prepared to announce to management that the sky’s falling and the plug needs to be pulled on your business’s Web presence simply because it appears a huge flaw is present. Making a big deal out of everything without determining the actual impact to your business is a great way to lose your credibility and put an end to any vulnerability assessment program you’re trying to build.
7. You’ve been instructed to just run a quick scan from the Internet for now. Not looking at an application from every reasonable perspective – both with and without authentication – will rarely serve to give you what you need.

In our world of information security, when it comes to scanning Web systems for vulnerabilities, “good enough” hardly ever is. If your true goal is to minimize business risks then you might as well go about running your Web vulnerability scans the right way. By doing so, you’ll get more out of your money and your efforts, you’ll find security flaws that matter in your environment, and you won’t be surprised when you find out someone else discovered a flaw that you missed.

Go into this with the proper mindset and you’ll do just fine. Jump in headfirst without thinking and you’re setting yourself – and your business – up for failure.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.