Blog Posts

Vulnerability Scanning: What It Is and Why Your Business Needs To Do It

Vulnerability Scanning: What It Is and Why Your Business Needs To Do It

Premium Carbide accounts now include weekly vulnerability scanning reports.

If you’re trying to protect the data your business handles, vulnerability scanning is an indispensable tool to ensure your critical systems don’t have easy points for attackers. It’s a best practice in information security and a common requirement in a number of security frameworks. So what is vulnerability scanning? And how can it help you protect your company, customer data, products, and critical operations? 

What is Vulnerability Scanning? 

Vulnerability scanning is when you use a tool to check your website (or application or network) for known security issues so you can identify weaknesses that could result in a data breach. Often businesses use automated vulnerability scanning tools to regularly check for new vulnerabilities, ensuring that they can be fixed before an attacker discovers them. 

The results of a vulnerability scan are usually delivered to a development or security team in a PDF report, with the vulnerabilities prioritized by risk levels. A vulnerability scan report can also include false positives or flag information that is good to know but does not require remediation.

So What About Penetration Testing vs. Vulnerability Scanning? 

Penetration testers may start with a vulnerability scanning tool, ensuring the “easy” vulnerabilities are included in their results. However, a quality penetration test will be much more in-depth and can identify unknown vulnerabilities that an automatic scan could not detect. 

For many SaaS businesses, the best option is to make use of both vulnerability scanning and penetration testing to regularly check for potential entry points attackers could use against your product. In some cases, this might mean having weekly vulnerability scans and an annual (or every six months) penetration test

How Much Does Vulnerability Scanning Cost? 

Like most things in business, you’ll find a range of options, services, and prices. If you’re doing a single vulnerability scan to start off and assess your status with only one or two URLs scanned, that would be a one-time cost on the low end (think around $500 dollars as a ballpark). If you’re doing continuous vulnerability scanning, say on a weekly schedule as we offer with Premium Carbide accounts, then you could be looking at a few thousand dollars annually (let’s say around $3,000). 

Cost can also be partly determined by the frameworks or regulations your business adheres to. PCI DSS requires at least quarterly vulnerability scans for businesses of a certain size, and requires the vulnerability scanning is provided by a company on a list of approved vendors. Not all vulnerability scanning tools will meet PCI compliance standards, meaning you may have few choices and higher costs to meet your requirements. 

How to Read a Vulnerability Scan Report

Most vulnerability scan reports will group the findings based on risk, prioritizing the weaknesses that should be immediately addressed and noting low-level risks that should be remediated when possible. If a vulnerability is not remediated properly, it will continue to show up in future vulnerability scans. 

As an example your vulnerability scan report may have four categories: 

  1. Critical Vulnerabilities are the most likely to be exploited and these require immediate attention and mitigation. With these kinds of vulnerabilities, there are typically security patches or another remediation action your team should take ASAP.
  2. Medium Vulnerabilities might be exploitable but could require more analysis. These introduce less risk, but should still be mitigated in a timely manner.
  3. Warnings are meant to flag areas where your security could be reinforced, helping you to mitigate additional potential vulnerabilities. 
  4. Additional Information is a category that functions as an FYI, giving you additional the scan noted that may be important to understand your overall security posture. 

A report could also include false positives, so in some cases, you may have vulnerabilities that were remediated already or found to be non-issues. 

Software for Continuous or Periodic Vulnerability Scanning 

Ultimately, a vulnerability scanning service that can offer automated, continuous scanning, and comprehensive vulnerability scan reports is worth the investment. 

What about free vulnerability scanning tools? There are a number of open-source vulnerability scanning tools available. These can be worth using as a starting point for development teams (looking at you, startup founders) or to supplement periodic scans. 

However, some free scanning tools may be difficult to use, offer only limited free trials, or won’t satisfy needs like being an approved vendor for the Payment Card Industry standards. You cannot use a free vulnerability scanning tool to satisfy PCI DSS requirements. Compliance with the PCI framework requires using an Approved Scanning Vendor (ASV), which offers scanning solutions that are tested and validated to conduct external vulnerability scans that adhere to PCI standards.

Because free vulnerability scanning tools are easily available — it’s worth remembering that similar scanning tools are also available for malicious actors. It’s best to scan your network for vulnerabilities and address them before someone else discovers an unpatched vulnerability to attack your business. 

Vulnerability Scanning with Carbide 

Vulnerability scanning is a critical tool for keeping your business secure, which is why we offer it to all of our Carbide customers (it’s included for all our Premium customers, or as an add-on for Standard accounts). It’s a critical best practice we’d like to see all our customers implement as part of their security programs. Book a demo with our team of security experts to learn how the  Carbide platform can help you meet the requirements for information security standards like PCI DSS, SOC 2, ISO 27001, and more.