What should I use for vulnerability scanning?
- Customers usually need to provide evidence of vulnerability scans to their auditor as part of their audit. The article below will explain what the audit will require, clear evidence, the associated controls (dependent on standard), and our recommendations for satisfying this control using features in Vanta or another vulnerability management program.
- Typically, the auditor will look for:
- Evidence that a vulnerability scan was conducted within the past quarter
- Evidence that a sample of vulnerabilities was remediated within a customer-defined SLA
- Typically, you only need to provide evidence of one scan per quarter.
If the customer uses a vulnerability tool Vanta integrates with, this evidence is populated automatically and can be demonstrated simply by visiting the .
Otherwise, this evidence should be provided manually, usually by showing:
- Findings from a recent vulnerability scan
- A sample of tickets showing the vulnerability was tracked and remediated on time based on your SLAs determined at the company level and specified in your Vulnerability Management policy.
Vanta supports directly uploading this evidence under and on the . Vanta will also automatically surface when it's time to upload new evidence.
- Vulnerability scanning evidence is needed to fulfil the following controls:
- Service infrastructure maintained:
- The company has infrastructure supporting the service patched as a part of routine maintenance and, as a result, identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.
- Vulnerabilities scanned and remediated:
- Host-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked for remediation.
- Malicious software protection implemented:
- The company has implemented procedures for guarding against, detecting, and reporting malicious software.
- Security controls evaluated:
- The company performs a periodic technical and nontechnical evaluation, based initially upon the HIPAA security rule, and subsequently, in response to environmental or operational changes affecting the security of electronic protected Health Information (ePHI), establishes the extent to which the company's security policies and procedures meet the requirements of the HIPAA security rule (subpart C).
- Management of technical vulnerabilities:
- Information about technical vulnerabilities of information systems being used shall be obtained promptly, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.
- Technical compliance review:
- Information systems shall be regularly reviewed to comply with the organization's security policies and standards.
Recommendations for Fulfilment
Multiple practices can fulfil the scanning requirement, but the specifics vary auditor-to-auditor. We recommend customers ask their auditor for the exact requirements early in the audit process.
- Since penetration tests typically involve running a vulnerability scan against server host environments, these are accepted by some auditors.
- Customers can upload recent penetration tests on the Documents pages.
Container scanning tools
These tools scan for package vulnerabilities and misconfigurations for customers that package and deploy their code via containers. This is often sufficient evidence, particularly for customers using serverless or PaaS.
- Vanta has a container scanning feature for the following systems:
- AWS ECR Container Scanning
- Google Cloud Repository Container Scanning
- Microsoft Defender for Cloud
Some auditors insist on "host-based server scanning" as a strict requirement if the customer runs servers. In these cases, container scanning needs to be supplemented with server scanning.
Code and dependency scanning
These tools scan for code and code dependency vulnerabilities.
As with container scanning, some auditors may ask to supplement with server scanning.
These tools scan server hosts for package vulnerabilities.
- Common tools:
- ← Recommended for AWS customers.
- ← Recommended for Azure customers
Vanta does not automatically pull evidence from the above tools but may build integrations to support the above systems. For each tool the customer uses, they should regularly review the findings and address them within a company-specified SLA.