What is Vulnerability Scanning?
Vulnerability scanning is an automated security scan of your operational systems focused on vulnerability detection. The scanning process uses vulnerability scanning tools to probe your technology environment for potential security flaws by comparing against databases of known vulnerability information.
The security scanner starts with a port scan to guess the operating system and software you are running (also known as “fingerprinting”) and to detect exposed network services. Various tests are then performed to determine the presence of exposed vulnerabilities which are rated for the level of security risk.
External vulnerability scans can be done on servers and network devices exposed to the internet; or performed within your internal network (i.e. internal vulnerability scan).
Scans are typically conducted on the “network layer” or the “web application layer”. A network scan is done using a network vulnerability scanner to detect issues on operating systems and commonly used software, while a web application vulnerability scanner will focus on web services.
To detect vulnerabilities in the operating system and commonly used software in servers and network devices.
To detect vulnerabilities at the web application layer, usually for custom-developed web apps.
To detect vulnerabilities in the operating system of end user computers.
Free Vulnerability Scanning?
Yes, we are offering a free one-time web and network vulnerability test on your websites, servers and network devices that are exposed to the internet. This scan will be performed remotely over the public internet.
For this free vulnerability scanning service, you will receive a vulnerability report that is automatically generated by the vulnerability scanner.
To be clear, a vulnerability assessment will not be performed. This means that there may be false positives in the scan results, no assessment of security risks will be performed on the detected vulnerabilities, and we will not be providing any advisory or answering any questions related to the report.
Vulnerability Scanning Process
Run scanning tools to analyze target and detect potential vulnerabilities.
Automatically generate report from vulnerability scanner.
Frequently Asked Questions
Why do I need a vulnerability scan?
Despite your best efforts, it is inevitable that there will be systems that are not securely implemented or not updated with the latest security patches.
A vulnerability scan can help you discover your attack surface, detect security weaknesses due to misconfigurations, and alert you to unpatched systems. It will also help detect web application vulnerabilities including cross-site scripting, SQL injection and other flaws.
This helps to reduce the risk of data breach by hackers who exploit vulnerabilities to disrupt your operations and gain access to your sensitive data.
How often should vulnerability scans be conducted?
More than 100,000 security vulnerabilities were reported for operating systems and commonly used software over the last five years. This is an average of 2.5 vulnerabilities published every hour.
Best practices recommend that a vulnerability scan is conducted every quarter (i.e. 3 months). With the heightened cyber risk environment, most organisations should consider a monthly scanning schedule, especially for systems exposed on the internet.
Regularly scanning is a key component of your vulnerability management process.
Why are you doing this for free?
Over the years, various customers have shown us “penetration testing” reports which were actually vulnerability scan reports. Yes, the customers thought they have purchased a penetration testing service but not knowing better, ended up with an automatically generated report from a vulnerability scanner.
Such security scans require minimal effort from service providers and we are happy to offer this security service for free.
We’ve also had customers that are hesitant about getting a penetration testing done because they are unsure if it’s worth the spend. Regardless of the benefits, it’s only natural for some customers to think they only get their money’s worth if many security issues are found (i.e. divide cost of service by the number of vulnerabilities). Starting with a vulnerability scan can help you see if a more in-depth security testing by a security expert is needed.
Can you do a free vulnerability scan for my internal network?
An internal vulnerability scan can only be performed onsite and will require our consultants to physically travel to your premises and connect our machine to your internal network to run the scanning software.
For Singapore customers, this may be possible, but we will have to charge a nominal fee. Why? Because consultant time is precious, and Grab is expensive.
For customers outside of Singapore, you may be thinking this can be done over a VPN or some other form of remote access mechanism. From our experience, this does not always work well for vulnerability scanning and there is quite a bit of coordination and setup required (read: consultant time spent). If you feel strongly otherwise, do feel free to reach out for a chat.
What security tools do you use?
We will use the commercial scanner, Tenable Nessus Pro for this free vulnerability scanning.
Yes, we are CREST accredited
Our core team is based in Singapore and consists of CREST certified penetration testers who are also Offensive Security Certified Professional (OSCP) certified. The team has delivered numerous penetration testing projects for customers in Singapore and other locations, from large multinational enterprises to small and medium business, and across various industries.