The futility of vulnerability scans: Why they're not worth your time and energy!
Security Published on •5 mins Last updatedVulnerability scans are often touted as a critical cybersecurity tool, helping you spot flaws that require mitigation. Blah, blah, blah. I get it. We all want to protect ourselves from cyberattacks, and any tool that can help us proactively monitor our networks and systems has got to be a good thing, right?
But do they really offer valuable insights, or are they merely a gimmick that fosters a misleading sense of security?
For those of you that know me, I don't mince my words, so here goes...
What are vulnerability scans?
Before getting into the debate, let's define vulnerability scans...
Vulnerability scans are automated technologies used to identify known flaws in systems, networks, or applications; such as obsolete software, misconfigured settings, missing patches, security weaknesses etc.
Having identified those flaws, the intention is to then address these flaws before they're exploited by bad actors.
Why are vulnerability scans often ineffective?
I’m going to reiterate here some commonly cited reasons why vulnerability scans (in the majority of cases) are a waste of time:
1. False positives
Vulnerability scans, by their very nature, are risk-averse. That means they err on the side of caution, often overwhelming IT teams with false alarms, diverting them away from much more serious issues. And, as if that wasn't bad enough, the scans themselves often focus, in the main, on software versions, instead of more usefully spotting configuration or patch issues that need fixing. This is why companies like Darktrace try to sell you the expensive dream of automating this tedious task with AI.
2. Scan limitations
Vulnerability scans are designed to spot known vulnerabilities, and so fail to detect zero-day flaws or advanced attacks, making them ineffective against sophisticated hackers. Secondly, they don't actually test for errors (which would be dangerous) they just guess from version numbers. And, if scanning software can detect a real vulnerability, then so can hackers, essentially making it too late to avoid exploitation.
3. Lack of context
Scans may also lack organizational context, meaning they flag concerns that don’t actually pose a threat. For example, a scan might flag a self-signed TLS certificate as being an issue, but the use of self-signed TLS certificates might be perfectly valid in some circumstances. Your organization will almost certainly have a seperate process for managing your SSL certificates anyway.
4. Misconfigurations and errors
My personal bugbear is that vulnerability scans claim to be able to detect misconfigurations and other human errors. Hang on a second, let’s check that logic. They're claiming that a computer programme, which is configured by humans and can’t discern context, can accurately second guess the human?
5. Not a miracle cure
You won’t be surprised that I would caution against relying on a single tool as a complete security solution. You're much better off spending your time improving the overall defense of your systems and networks, including putting adequate firewalls in place.
But none of these reasons come close, in my experience, to the real reason they're ineffective...
Humans are fallible
Let’s be brutally honest here. Humans are fallible and time poor, so it’s hardly surprising that the person running the scan also needs to be factored into the equation.
88% of all data breaches are caused by employee error.
Statistically, you're more likely to accidentally harm your network than you are to protect it. That's hardly surprising given the complexity of networks with multiple layers, protocols, devices, vendors, locations, domains, and platforms.
Imagine you've run a vulnerability scan and have a 300-page report on your desk to read, line-by-line. But that's not the only thing on your plate. Meanwhile, you're juggling multiple projects, trying to meet impossible deadlines, working long hours, and dealing with frequent changes and emergencies. It's hardly surprising sometimes these things never get looked at, or issues prioritized correctly.
The conclusions drawn by time-saving automated technologies still need to be sense-checked by humans. These tools have a great propensity to mislead, and the real value in running a scan comes in being able to accurately interpret the results; brushing aside the false positives, and knowing what's genuinely worth looking at.
Even with all the tools in the world, there is no substitute for human judgement. So you need to think carefully about what you're going to do with the results before committing to the process.
Do I have anything good to say about vulnerability scans?
Ok. So it's not all doom and gloom. In certain circumstances, vulnerability scans can still make a valuable contribution. For example:
1. Proactive risk management
Vulnerability scans aid in proactive risk management by helping organizations identify and prioritize potential issues, enabling them to address vulnerabilities before they are exploited. i.e. they point out when someone has been a complete idiot and done something obviously stupid.
2. Compliance requirements
OK, So this is the big one. Compliance doesnt make you secure, but non-engineers love the warm fuzzy feeling it gives them. Many regulatory standards and industry frameworks mandate regular vulnerability assessments and scans as part of a comprehensive security program, ensuring compliance and avoiding legal repercussions.
3. Visibility
Vulnerability scans provide visibility into an organization's security posture, assisting security teams in making informed decisions and optimizing resource allocation. From a high level overview scans can give you good information. Its the pages of false possitives that I have a problem with.
4. Continuous improvement
By integrating vulnerability scans into a continuous monitoring and improvement process, organizations can create a more resilient and secure environment over time. Well yes, but my point is that you could be wasting weeks of effort on a pontless task.
5. You must be joking...
...you're lucky I managed to come up with 4!
A better use of your time and energy...
Don't get me wrong. Vulnerability scans are great at picking up blatantly obvious mistakes. For example an engineer seting up an old version of software for testing, and leaving it running somewhere it shouldn't be. But what drives me nuts is when good engineers are requested to waste valuable time going through every line of a vulnerability report and prove that each line is not a false positive. That's just soul destroying because — engineers know you can't prove a negative!
May I humbly suggest that you may find it a more valuable use of your time to invest your precious waking hours in shoring up your defense-in-depth strategy. Yes, this holistic approach might include certain security products, but policies, processes, and employee education are just as important. Similarly, due to the ever-evolving nature of cybersecurity threats, it's important not to get complacent. Vulnerability scans quickly become obsolete as new vulnerabilities are discovered.
What you really need is good engineers, then give them time to think 'outside the box'. What are the likely attack vectors, how could we change the architecture or business process to avoid / detect attacks etc.
I'm not saying never do a vulnerability scan, but it's worth questioning whether they're always the best use of your time...
What vulnerability scanning tools have you found useful?
As always, we want to know what you think. If you've come across any vulnerability scanning tools you'd recommend, we want to know! Please add them in the comments below for the benefit of our wider community.