On Vulnerability Scanning

“The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand”
Sun Tzu, Art of War

A friend of mine asked me if I can give my advice about vulnerability scanning. He is enrolled in an information security class in one of the universities here in Manila. He said that vulnerability scanning is some sort of an educational project for them. The questions and the topic provided good opportunity for me given that:

  • I like to help my friend (he is a trusted contact)
  • This is an interesting security topic (for your geeky Product Manager)
  • My ideas here might be useful to other people (for your friendly blogger Product Manager)

So I decided to anonymize the details of our Q&A session and post the sanitized feedback here in my InfoSec blog. Rememberall your infosec post are belongs to us

Here are his questions:

  • Is it legal to perform a vulnerability scan from external source?
  • Do I have recommendation on how should they do the vulnerability scanning?
  • What are the standard parameters/elements of the vulnerability scanning that they should used in this vulnerability assessment exercise?
  • Their group agreed to do scanning on the “Company X”. Again, any advice on possible legal and other complications?
  • Is security “Company Y” providing a secure online vulnerability assessment tool?

First, I shared my standard disclosure; where I work, my designation, and my areas of expertise (Malware, Tech Product Management and related domains). Next is the disclaimer: Any information/insights I will share should be considered personal opinions. I also joked that I should not, in any way, be held legally liable for my opinion and insights 🙂 . Seriously setting this disclosure and disclaimer is, in my opinion, should be a best practice for infosec folks when sharing these types of information outside of our official work functions (maybe this one is a good idea for a future post).

My feedback:
I told him that I prefer to skip the first 2 questions (the legal and how-to/technical aspects of Vulnerability Scanning (VS). My suggestion to their group is to take some steps back and focus on the overall picture of the task and do overall planning of the “vulnerability scanning” project. Planning is the key!!!

Hackathon101<Image Credits: Willow Brugh/ Wikimedia Commons>

I then explored their project by probing with more questions. Like:

  • What do they (students) like to achieve?
  • What is the goal of this academic exercise?
  • What do they plan to do with the results?
  • Do they plan to make the results public?

Vulnerability scanning is a big topic. Planning and scoping it down will help them on this academic exercise on infosec. I also pointed out that they should put safety boundaries at the start to avoid potential technical and legal problems along the way.

To get the things started, I gave them some examples:

  • Do they plan to do port scanning?
  • How about website vulnerability  scans?
  • Does web application vulnerability sounds cool for them?
  • Maybe check Company X’s (Product ABC) vulnerability?

Examples like the ones above; along with the high level objectives and scope of the project will help them shape the project and is critical to the success.

Wow post is more than 500 words already 🙂 I plan to do this topic post in 2 parts and post the 2nd part soon

I hope you find the insights on Vulnerability Scanning helpful.

Until next blog post…