• Home

  • Custom Ecommerce
  • Application Development
  • Database Consulting
  • Cloud Hosting
  • Systems Integration
  • Legacy Business Systems
  • Security & Compliance
  • GIS

  • Expertise

  • About Us
  • Our Team
  • Clients
  • Careers

  • Blog

  • VisionPort

  • Contact
  • Our Blog

    Ongoing observations by End Point Dev people

    Vulnerability Scanning

    Jeremy Freeman

    By Jeremy Freeman
    September 15, 2022

    A mountain ridge. One side of the ridge is still covered in shadows, while the sunrise illuminates the other side.

    Define Your Terms

    A security vulnerability is a flaw or bug that could be exploited by a threat agent/threat actor. According to CrowdStrike, “A threat actor, also known as a malicious actor, is any person or organization that intentionally causes harm in the digital sphere.” Once a bug or flaw is deemed a vulnerability, it is registered by the MITRE Corporation as a Common Vulnerability or Exposure (CVE) and stored in their CVE database. A CVE is given an identifying number by a CVE Numbering Authority (CNA), for example, Red Hat, Microsoft, and other designated authorities. The National Institute of Standards and Technology (NIST) is a federal agency housing the National Vulnerability Database (NVD). Threat levels are quantified by assigning a Common Vulnerability Scoring System (CVSS) score from 0 to 10. CVSS is a free and open standard for evaluating the level of threat to a business or organization maintained by the Forum of Incident Response and Security Teams (FIRST). NIST provides a CVSS calculator.

    The Attackers

    Real live people spend a lot of time and money trying to break into specific high-value targets, as do bots that clever people have weaponized to attack more cheaply and broadly at all hours of the day.

    Main Security Vulnerability Categories

    The main information security vulnerability categories are:

    • Broken Authentication.

      When security credentials are stolen, attackers can usurp user identities and sessions as if they were the user.

    • SQL Injection.

      Attackers can hijack database content by injecting malicious code. It can allow attackers to acquire sensitive data, modify or delete data, impersonate identities, and conduct other nefarious activities.

    • Cross-site scripting (XSS).

      This type of attack inserts malicious code into a website. Its target is the website user, threatening sensitive user information.

    • Cross-Site Request Forgery (CSRF).

      This attack may mislead the user into an action that they would do only unwittingly. For example, social engineering may hoodwink the user into clicking a link in an email or chat to get the user to perform an action of the attacker’s choice. It could be having their browser use JavaScript to submit a form that they don’t even know about.

    • Security Misconfiguration.

      A configuration error that can be exploited by attackers. For example:

      • Default passwords left in place
      • No password strength requirements to prevent users from setting weak passwords that can easily be found in dictionary attacks.
      • Web server directory listings left enabled, possibly exposing files that shouldn’t be seen
      • Unused software modules or plugins left enabled, increasing the attack surface
    • Software Vulnerabilities.

      Especially out-of-date software. As more time passes without getting security updates, attackers can examine code for bugs and flaws that could be exploited. Thus, a given piece of software that was secure at one time may be vulnerable six months later.

    For more on vulnerability categories, see our blog post OWASP Top 10. OWASP defines itself as “a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.”

    Solutions

    Applications to scan for vulnerabilities are available. Some are free and/or open source, some are payed, and some have a free version and a payed version. Vulnerability scanners are automated tools that look into a database of known CVEs for the specific software and library versions running on a given server. They also examine systems for flaw types that could be exploited. The NIST NVD database synchronizes with the MITRE CVE database. The latter does not include CVSS scores or solutions, which are found in the NVD. In general, the vulnerabilities fall into three classifications:

    • System/Network: The application scans for system misconfiguration and network CVEs.
    • Web: The application scans for SQL Injections, XSS, CSRF, etc.
    • Software Analysis: Static Application Security Testing (SAST). SAST analyzes source code to find security vulnerabilities. Many organizations and even individuals provide apps that perform SAST. They specify which languages they can scan, sometimes one or two, sometimes up to a dozen or more.

    In summary, vulnerability scanning is a vital process that spans many aspects of Information Technology (IT). Its solutions are constantly evolving to keep up with new threats. An endless cat-and-mouse game where the cats must be ever adaptive to keep ahead of the ever-evolving malicious mice.

    security


    Comments