2023-07-12
Two views of security and vulnerability scanners
In my entry on how web server should refuse requests for random URLs, I mentioned that we have an open source security and vulnerability scanner. Among the reactions I saw to that entry was people who felt that such scanners are basically a bad idea, and in thinking about the issue I've decided that I can see two views of such scanners.
Some people have a heavily controlled and locked down environment. They know every machine on the network and every service that's supposed to be running on every machine, and they have controls that enforce that (such as 'default deny' host firewalls, so that a surprise service can't be connected to). For these people, a security scanner is extremely unlikely to discover any actual surprises; there are (or should be) no surprise hosts, no surprise services, no surprise vulnerabilities on services, and so on. Everything a security scanner reports is extremely likely to be either a false positive or something that's already known about (and sometimes both at once).
This is not our environment, which is an increasingly unusual one. Our overall network has an assortment of machines running an assortment of services, operated by an assortment of people, and internally things are mostly not locked down at the per-host level. Where we have firewall rules that block inbound traffic they can be complex, with interactions we may not have foreseen, and anyway machines and their uses can come and go, with new machines quietly inheriting the IP addresses and firewall policies of old ones.
In our environment I think of internal and external security scans as a useful cross check that verifies the actual reality against our assumptions. We certainly shouldn't have anything real exposed and vulnerable, but theory is not necessarily reality in an anarchic environment. Our security scanner mostly does have unimportant things, but with its settings adjusted it's not too noisy and the reassurance value of it not discovering any actual problems despite checking is worth the noise. In this sense, security scans are guards against error, as are some of our alerts.
(For our purposes, merely running port scans would be less effective and more noisy. At a minimum we'd have to build something to track what services we expect to be listening and exclude them from the results.)
Of course, you probably have to tune the reports from your security scanner to be useful, just as you need to tune alerts. If you're operating in an environment where you can't modify what the security scanner reports and it reports pointless junk, you have at least two problems (and my sympathies).