On February 15th, 2022, we'll deprecate Server Vulnerability Scanning and replace it with integrations over time. Here's why we're making this shift and guidance on switching to a replacement.
What is this feature?
Vanta provides a Server Agent to install on servers. The Agent scans for CVEs and surfaces them on the Vulnerabilities page, giving evidence of vulnerability scanning.
Note: We are solely deprecating agent scanning — all other vulnerability integrations and functionality will still be available. Also, note that this is servers only; we are not deprecating the Laptop Agent that powers the Computers Page.
Why phase out this feature?
- Simplifying audits: For many customers, the feature was redundant to other tools. Moreover, most auditors did not use this evidence or preferred other tools over our Agent.
- Product experience: The Server Agent had poor support for many configurations (autoscale, AMIs, network setups, etc.), and installation was confusing.
- Security: While the Agent is non-invasive and regularly audited for security, it still requires installation on every server. After evaluating the functionality, we determined the security benefit was not worth the security risk.
What's replacing this?
Going forwards, Vanta will do what we do best: we'll integrate with standard industry tools. We already integrate many tools on the Vulnerabilities page, and we'll add more over time.
For AWS users, we've already introduced an AWS Inspector integration. It's built-in to AWS, takes a few minutes to set up, and directly replaces the Server Agent's functionality.
1/7/2022: We now support the new Amazon Inspector, which provides continuous scanning, is available in more regions, and provides a one-click setup process. Get started on AWS's website and Vanta's vulnerability page.
How does this affect my audit(s)?
Your CSM and auditor have already been informed, which should not significantly impact your audit.
If your audit finishes before February 1st, 2022, you should continue using the Server Agent and switch over after your audit.
Otherwise, provide evidence from at least one other scanner. The work involved should be minimal if you're using any other tool. Find more info here.
- If using a tool Vanta integrates with (such as Inspector, Snyk, or container scanning), Vanta will pull evidence automatically without additional action.
- Otherwise, provide quick evidence by uploading it on the Documents page. We recommend using AWS Inspector, Azure Defender for Servers, or GCP VM Manager. You'll need to upload proof that a scan was run and that the vulnerabilities have been resolved.
- Our team is investigating pulling evidence from more tools into Vanta - stay tuned!
Once you've switched, you can turn off Vanta Agent Vulnerability scanning by clicking "Turn off now" on the Agent vulnerabilities tab.
How can I get more help?
Our goal is to make this as smooth as possible; please don't hesitate to contact your CSM if you have any questions.
We know that Q1 is also a busy time, so if you heavily depend on this feature, we can work with you to adjust the timeline; just let us know.
We're looking forward to supporting your company in a more secure and robust way!