What should I use for vulnerability scanning? 

  • As part of their audit, customers usually need to provide evidence of vulnerability scans to their auditor. The article below will explain what the audit will require, clear evidence, the associated controls (dependent on standard), and our recommendations for satisfying this control using features in Vanta or another vulnerability management program.
 

Evidence Required

  • Typically, the auditor will look for:
    • Evidence that a vulnerability scan was conducted within the past quarter
    • Evidence that a sample of vulnerabilities was remediated within a customer-defined SLA
    • Typically, you only need to provide evidence of one scan per quarter.
If the customer uses a vulnerability tool, Vanta integrates with, this evidence is populated automatically and can be demonstrated simply by visiting the Vulnerabilities page.
 
Otherwise, this evidence should be provided manually, usually by showing:
  • findings from a recent vulnerability scan
  • A sample of tickets showing the vulnerability was tracked and remediated on time based on your SLAs determined at the company level and specified in your Vulnerability Management policy.

Vanta supports directly uploading this evidence under Vulnerability scan and Sample of remediated vulnerabilities on the Documents page. Vanta will also automatically surface when it's time to upload new evidence.

 

Controls Fulfilled

Vulnerability scanning evidence is needed to fulfill the following controls:
 
SOC 2
  • Service infrastructure maintained:
    • The company has infrastructure supporting the service patched as a part of routine maintenance and, as a result, identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.
  • Vulnerabilities scanned and remediated:
    • Host-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation.

HIPPA

  • Malicious software protection implemented:
    • The company has implemented procedures for guarding against, detecting, and reporting malicious software.
  • Security controls evaluated:
      • The company performs a periodic technical and nontechnical evaluation, based initially upon the HIPAA security rule, and subsequently, in response to environmental or operational changes affecting the security of electronic Protected Health Information (ePHI), establishes the extent to which the company's security policies and procedures meet the requirements of the HIPAA security rule (subpart C).
ISO 27001
  • Management of technical vulnerabilities:
    • Information about technical vulnerabilities of information systems being used shall be obtained promptly, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.
  • Technical compliance review:
    • Information systems shall be regularly reviewed for compliance with the organization's information security policies and standards.

Recommendations for Fulfillment

Multiple practices can fulfill the scanning requirement, but the specifics vary auditor-to-auditor. We recommend customers ask their auditor early in the audit process for the exact requirements. 
 
Penetration testing
  • Since penetration tests typically involve running a vulnerability scan against server host environments, these are accepted by some auditors.
  • Customers can upload recent penetration tests on the Documents pages.
 
Container scanning tools
 
These tools scan for package vulnerabilities, and misconfigurations for customers that package and deploy their code via containers. This is often sufficient evidence, particularly for customers using serverless or PaaS.
  • Vanta has a container scanning feature for the following systems: 
    • AWS ECR Container Scanning
    • Google Cloud Repository Container Scanning
    • Azure Defender for Containers
    • Snyk
Some auditors insist on "host-based server scanning" as a strict requirement if the customer runs servers. In these cases, container scanning needs to be supplemented with server scanning.
 
Code and dependency scanning
 
These tools scan for code and code dependency vulnerabilities.
  • Common tools:
    • Snyk (integrates with Vanta)
    • GitHub Dependabot
 
As with container scanning, some auditors may ask to supplement with server scanning.
 
Server scanning
 
These tools scan server hosts for package vulnerabilities.
 
Vanta does not automatically pull evidence from the above tools but may build integrations to support the above systems. For each tool the customer uses, they should regularly review the findings and address them within a company-specified SLA. They can specify their SLA on Vanta's Procedures page.