The challenge for Day Four is – Learn anything about Vulnerability Scanning
For this challenge I read a good article comparing the difference between vulnerability scans vs penetration testing.
A vulnerability scan searches an application for vulnerable ports and known vulnerabilities, then often produces a report listing the vulnerabilities in order of severity.
A vulnerability scan is a very helpful tool to get a surface level look at areas of your app that should get extra attention.
However, it’s risky to rely too heavily on a vulnerability scan as you’ll run the risk of missing “unknown vulnerabilities” that require human interaction.
The scan will run a set of checks – not tests. It will check if ports are open, known vulnerable configurations are set etc but stops once it has noticed the vulnerability, it doesn’t push forward to test the impact of the vulnerability or look for areas outside of it’s specifications.
Thanks for reading my post and following my progress through the 30 Days of Security Testing.
Feel like joining in? Sign into the WeTest Slack group and get involved!