We recently announced we're deprecating Server Vulnerability Scanning and introduced a beta for AWS Inspector. Learn more here.
What should I use for vulnerability scanning?
As part of their audit, customers usually need to provide evidence of vulnerability scans to their auditor. The article below will explain what exact evidence will be required by the audit, the controls it’s associated with (dependent on standard) and our recommendations for satisfying this control using features in Vanta or another vulnerability management program.
Note: We recently announced we are deprecating the Vanta Agent, and introduced our beta for AWS Inspector. If you want to read a little more about that head here.
Evidence Required
Typically, the auditor will look for:
- Evidence that a vulnerability scan was conducted within the past quarter
- Evidence that a sample of vulnerabilities was remediated within a customer-defined SLA
Note that typically, you only need to provide evidence of one scan per quarter.
If the customer uses a vulnerability tool Vanta integrates with, this evidence is populated automatically and can be demonstrated simply by visiting the Vulnerabilities page.
Otherwise, this evidence should be provided manually, usually by showing:
- findings from a recent vulnerability scan
- a sample of tickets showing the vulnerability was tracked and remediated on time based on your SLA’s determined at the company level and specified in your Vulnerability Management policy
Vanta supports directly uploading this evidence under “Vulnerability scan” and “Sample of remediated vulnerabilities” on the Documents page. Vanta will also automatically surface when it's time to upload new evidence.
Controls Fulfilled
Vulnerability scanning evidence is needed to fulfill the following controls:
SOC 2
- Service infrastructure maintained: The company has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.
- Vulnerabilities scanned and remediated: Host-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation.
HIPAA
- Malicious software protection implemented: The company has implemented procedures for guarding against, detecting, and reporting malicious software.
- Security controls evaluated: The company performs a periodic technical and nontechnical evaluation, based initially upon the HIPAA security rule, and subsequently, in response to environmental or operational changes affecting the security of electronic Protected Health Information (ePHI), establishes the extent to which the company's security policies and procedures meet the requirements of the HIPAA security rule (subpart C).
ISO 27001
- Management of technical vulnerabilities: Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.
- Technical compliance review: Information systems shall be regularly reviewed for compliance with the organization’s information security policies and standards.
Recommendations for Fulfillment
Multiple practices can fulfill the scanning requirement, but the specifics vary auditor-to-auditor. We recommend customers ask their auditor early in the audit process for the exact requirements.
Penetration testing
Since penetration tests typically involve running a vulnerability scan against server host environments, these are accepted by some auditors.
- Customers can upload recent penetration tests on the Documents pages.
Container scanning tools
For customers that package and deploy their code via containers, these tools scan for package vulnerabilities and misconfigurations. This is often sufficient evidence, particularly for customers using serverless or PaaS.
- Vanta has a container scanning feature for the following systems:
- AWS ECR Container Scanning
- Google Cloud Repository Container Scanning
- Azure Defender for Containers
- Snyk
Note: Some auditors insist on “host-based server scanning” as a strict requirement if the customer runs servers. In these cases, container scanning needs to be supplemented with server scanning.
Code and dependency scanning
These tools scan for code and code dependency vulnerabilities.
- Common tools:
- Snyk (integrates with Vanta)
- Github Dependabot
Note: As with container scanning, some auditors may ask to supplement with server scanning.
Server scanning
These tools scan server hosts for package vulnerabilities.
- Common tools:
- AWS Inspector ← Recommended for AWS customers. Vanta will be integrating with AWS Inspector to surface findings directly in Vanta.
- Azure Defender for Servers ← Recommended for Azure customers
- Tenable Nessus ← Recommended for GCP customers
- Threat Stack
NOTE: Vanta does not automatically pull evidence from the above tools but may build integrations to support the above systems.
For each tool the customer uses, they should regularly review the findings and address them within a company-specified SLA. They can specify their SLA on Vanta’s Procedures page.
If you are curious about what vulnerability scanner you should use, please don’t hesitate
to reach out to your Customer Success Manager who will be able to provide you with some suggestions!