On February 15th, 2022, we'll be deprecating Server Vulnerability Scanning and replacing it with integrations over time. Here's why we're making this shift and guidance on switching to a replacement.
What is this feature?
Vanta provides a Server Agent to install on servers. The Agent scans for CVEs and surfaces them on the Vulnerabilities page, providing evidence of vulnerability scanning.
Note: We are solely deprecating agent scanning — all other vulnerability integrations and functionality will still be available. Also, note that this is servers only; we are not deprecating the Laptop Agent that powers the Computers Page.
Why phase out this feature?
- Simplifying audits: For many customers, the feature was redundant to other tools. Moreover, most auditors did not use this evidence or preferred other tools over our agent.
- Product experience: The Server Agent had poor support for many configurations (autoscale, AMIs, network setups, etc) and installation was confusing.
- Security: While the agent is non-invasive and regularly audited for security, it still requires being installed on every server. After evaluating the functionality being provided, we determined the security benefit was not worth the security risk.
What’s replacing this?
Going forwards, Vanta will do what we do best: we’ll integrate with common industry tools. We already integrate with many tools on the Vulnerabilities page, and we’ll add more over time.
For AWS users, we’ve already introduced an AWS Inspector integration. It’s built-in to AWS, takes a few minutes to set up, and directly replaces the Server Agent’s functionality. Learn more here.
1/7/2022: We now support the new Amazon Inspector, which provides continuous scanning, is available in more regions, and provides a one-click setup process. Get started on AWS’s website and Vanta’s vulnerability page.
How does this affect my audit(s)?
Your CSM and auditor have already been informed, and this should not significantly impact your audit.
If your audit finishes before February 1st, 2022, you should continue using the Server Agent and switch over after your audit.
Otherwise, provide evidence from at least 1 other scanner. If you’re using any other tool, the work involved should be minimal. Find more info here.
- If using a tool Vanta integrates with (such as Inspector, Snyk, or container scanning), Vanta will pull evidence automatically with no additional action required.
- Otherwise, provide quick evidence by uploading it on the Documents page. We recommend using AWS Inspector, Azure Defender for Servers, or GCP VM Manager. You’ll need to upload proof that a scan was run and that the vulnerabilities have been resolved.
- Our team is investigating pulling evidence from more tools into Vanta - stay tuned!
Once you've switched, you can turn off Vanta Agent Vulnerability scanning by clicking “Turn off now” on the Agent vulnerabilities tab.
How can I get more help?
Our goal is to make this as smooth as possible, please don’t hesitate to contact your CSM if you have any questions.
We know that Q1 is also a busy time, so if you heavily depend on this feature, we can work with you to adjust the timeline, just let us know.
We’re looking forward to supporting your company in a more secure and robust way!