.jpg)
Ruslan Rakhmetov, Security Vision
Every object in our lives has areas where that object becomes vulnerable. Outdated applications, insecure networks and weak passwords are just as dangerous as gaps in fortress walls, old water pipes in flats and too simple codes on safes. When talking about information systems, we will talk about vulnerabilities specific to them, different types of scanners, and approaches for finding weaknesses.
Speaking about vulnerability scanners, tools for analysing networks, applications, operating systems, databases and other IT infrastructure components, we can distinguish several groups of scanners. We have already told you about source code scanners (static, dynamic and combined), which are similar to classic vulnerability scanners on the one hand, but are aimed at the application development process, and in the current review we will consider other groups and separate scanning methods.
Depending on the position of the scanner and the objects it will analyse, we can distinguish between network, cloud and host scanners.
Just as a plumber looks for leaks in pipes, a network scanner identifies weaknesses in the connections of devices to each other. Thanks to a centralised engine, such a scanner can cover the infrastructure as quickly as possible, it will work like a security guard checking the entire area around the house for suspicious zones. Such scanners are used to analyse the entire corporate network (servers, routers, printers, IoT devices), identify open ports and services, check firewall and VPN settings. Using network scanning tools, you can monitor network segmentation and detect obsolete protocols (e.g., TLS 1.0 encryption). In large networks, the tool may overload communication channels or simply work for a long time, but with proper scheduling and creating tasks for scanning in specific "windows" on specified subnets - everything will work more smoothly.
Cloud scanners focus on analysing cloud services (AWS, Azure, GCP, etc.) for errors, access control and compliance with standards (e.g. SOC2, ISO 27001). This is similar to checking a house with a thermal imager or going round a warehouse with different zones and checking personnel access. Due to specialisation, these types of scanners work to detect cloud-specific configuration errors and often offer additional options to protect against data breaches.
Host scanners aim to analyse operating systems and installed applications, outdated components and misconfigured services. They work like a PC repairman who needs to get it, take it apart, and then test each component to make sure it's working properly. Like an apartment bypass to check gas pipes or taking measurements on a flat before starting renovations, this type of scanning requires direct access to the object under investigation. But it allows this type of scanner to perform the most in-depth analysis of a particular device and its configurations, suitable for servers and workstations.
Scanners are separated not only by their location, but also, for example, by the types of data/systems they target. For example, web application testing uses scanners that test the functionality and security of interfaces. If you think of such an interface as a set of buttons on a coffee machine, for example, the scanner will press all the buttons to make sure that no boiling water will pour on the user. Since each web application is a whole set of interfaces, the use of specialised scanners can cover the whole spectrum of vulnerabilities: XSS and SQL injection, use of insecure cookies and tokens, API security. The scanner not only analyses applications, but can simulate hacker attacks, look for authorisation and authentication vulnerabilities, or generally enforce OWASP security standards.
Another type of scanners focuses on the back end of the application - the database. This type of scanner checks database configurations, identifies insecure SQL queries, analyses stored data for compliance with privacy policies and standards (e.g., 152-FZ and GDPR), checks roles and permissions, and analyses backup encryption. Just as a warehouse inventory checker checks the warehouse for expired or misplaced products, a scanner looks for vulnerabilities in the database structure.
Separately, we can highlight mobile app scanners, which check whether a mobile app can be easily "tricked" and whether the alarm system is reliable when buying a car. Analysis of mobile applications (iOS, Android) includes checks for common vulnerabilities (e.g., data leakage, weak encryption), problems in APIs, mobile libraries and SDKs, which is relevant before publishing in App Store, Google Play, RuStore or other marketplaces. Most popular development languages (Java, Kotlin, Swift) and analysis of both source code and ready APK/IPA with integration into DevSecOps are supported.
All of these tools use different methods to find vulnerabilities, so let's focus on them individually:
1) The authenticated method performs a credentialed scan to deeply inspect the system's internal state, settings, and dependencies. Like a mechanic testing a car while in the cabin, this method checks the system by accessing its internal functions. It is used to assess internal safety.
2) Unauthenticated scanning, on the other hand, examines the system from the outside, as an intruder would do without access to accounts. It is used to check the external defences and perimeter and works as surveillance of the house and its occupants through windows.
3) Signature-based Scanning searches for known vulnerabilities by matching the system being scanned against a database (e.g. CVE). Used in antivirus, IDS/IPS systems, and vulnerability scanners. Just as a doctor recognises a disease by its typical symptoms, this method identifies problems by known characteristics.
4) Configuration Analysis (Configuration Analysis or Security Profile Compliance) verifies that system settings conform to recommended standards and analyses access rights, firewall settings, software versioning and encryption. Used in security audits, it works like a chef making sure the knives are sharp and the oven is properly configured for cooking.
5) Heuristic Analysis predicts possible vulnerabilities based on code analysis or system behaviour (for example, it detects potential errors in application logic or suspicious patterns in requests). It is often used to protect against new, previously unknown threats and is similar to a lie detector, which detects uncharacteristic reactions; behavioural analysis detects unnatural actions of the system.
6) Fuzzing or Fuzz Testing sends random or specially crafted data to an application to cause failures or errors. Like a child pressing all the buttons on a remote control, fuzzing randomly feeds data into the application to cause a failure and is used to ensure that systems are up to date with the current state of security. It is used to test network protocols, APIs, and drivers.
7) Log and Behavioral Analysis processes event logs and behavioural metrics to identify suspicious activity such as repeated login attempts or sudden increases in traffic. Event log analysis is a special case of log analysis that focuses on examining a system's event history. It detects signs of hacking or exploitation attempts. This method can be compared to the work of an accountant who needs to reconcile receipts with actual expenditures (a scanner analyses logs to find discrepancies).
8) Penetration Testing (pentest) is manual or automated testing that simulates the actions of a real attacker. Evaluates a system's defences from the attacker's point of view, like a handyman who goes out to diagnose and repair complex equipment, pentesters manually test the system for weaknesses. This method is used for comprehensive security testing and often requires creativity. It is used to test all possible entry points.
Vulnerability scanning techniques are used in combination (such as VS and SPC modules for comprehensive analysis) and can be extended with additional techniques such as patch analysis (checking for installed and missing updates) and stress testing (which simulates extreme conditions, high load and a large number of requests to test system stability) to identify DoS vulnerabilities. It is the combination of methods that is the factor influencing the acquisition of vulnerability search and analysis systems. Such processes are integrated into the development process or applied to off-the-shelf third-party solutions to improve overall security and protect infrastructure from potential intrusions.
.jpg)
.jpg)
