All right. So welcome to lessen to dot to, um, we're going to be talking about security scanning software in this lesson.
All right, So are learning objectives for this lesson. We're going to be looking at what security scanning software is how it aids and vulnerability management.
How to overcome some of those common challenges with vulnerability. Scanning mentioned some in the earlier module. We're gonna talk a little bit more in here and then what code reviews can do to aid in security skinning and software development.
So security scanning This is obviously a big component vulnerability management, as I discussed before, It's not the only thing, but it is really important. Um, you really need to have the proper information to create effective vulnerability scans. So having the right credentials, having eyepiece or host names
appropriate security settings so that you can allow for that scanning. Um, I've seen before where people are like a I don't have any vulnerabilities,
and I'm like, Well, yeah, because your scan didn't isn't authenticated or we don't have the right eye peas. We need to update those or you'll. Hey, there's this security setting missing. We've gotta add this so that way we have the ability to actually scanned this host on Ben. All those vulnerabilities pop up. It's like, Oh, we have some work to dio eso having those set up from the beginning can really help to lower re,
uh, can really help to lower overhead.
So looking for common vulnerabilities. So most of the tools that I'm familiar with their ranked using the CBS s scoring system. So that just gives you an idea of
what the vulnerabilities are. You know, if it scored a 10 obviously critical. So you can take a look at the CBS escorting to get an idea of you know how important that vulnerability is. And then you take that that next next step further to figure out how important it is to your organization.
And of course, this helps to identify and prioritise vulnerabilities, you know, without knowing what's in your environment. There's no way that you can fix the appropriate vulnerabilities.
I think these air so important, Um, especially integrating security from the beginning. Uh, it helps so much because security can really get those scans going, you know, using certain tools. Teoh, audit the source code. You know, figuring out. Um
Hey, do we have some security Miss Configurations in here? Is it possible that we could make this Coats it more secure?
Um, you know, before we get to our gate, reveal eso proper security controls are present there, working as intended. That's what your code review is really gonna help you dio on. And of course, they're two different types of code reviews. You can do a static analysis or a dynamic analysis eso depending on what you have access to or what kind of review want to dio you have options.
Um, and then you have to have kind of that balance between human review and tool use. Uh, it's really important for someone on the security team to have some development experience
and really understand what secure coding means to be able Teoh use the tools. But I also understand what the tools air saying,
uh, and again building the security at the beginning, you're not gonna have to go back and fix code. Uh, you know, at the end of the day, if you just say, Hey, here's my code. We're ready to go. I need it back in a week. Well, that could be really difficult for security because they may find things. You've only got a week to try to mediate things, and as you change code, you could break other things. So it's this horrible chain
that if you have security at the onset, you can You can have more time,
uh, to fix potential issues before they get to the end of the project.
Eso some common issues I know I've seen a lot of thes things in my time helping with security scans,
unauthenticated scans or partial authentication. You have you missing directories, the inability to scanned some things. I add the puzzle piece, uh, picture here because I think it's really important. It's like, Whoa, we've got all these pieces we gotta put together to make sure that we're having a really effective security scan
missing I p zero p ranges. And this is where I, T and Security can really work together. You know, if I t is working on a new project, maybe they're adding new I p ranges. Maybe they're upgrading their their network. Um, so it's really important to have that security involvement that they can say, Hey, we're upgrading these things can you make sure you scan them
or Hey, I changed the site. P. I don't know if you're doing a static i p analysis, but
I've changed the i p. Here's the I p um,
that that can really help to fix some of those issues
Skins conducted with host names I know I've seen in the past some issues with this. I think it's easier to skin with I p ranges. Host teams can change. You might have issues with them. But if you if you're looking at a full I p range, that can make it the scan a lot easier and a lot less changes, you might have to dio within the scan itself to help with automation.
High number of false positives. I know there's a lot of ways that you can go in and say, Hey, I accept this risk or I know about this risk. I'm not worried about this one, you know, we've already we've got a poem in place or we we've accepted that we're gonna move on eso having those high number of false positives. It could be really difficult to have
anyone who's on the receiving end of that report
be able to remediate those vulnerabilities effectively.
Too many vulnerabilities. This is a huge problem. You know when When you're looking at your scans and you're like, Oh, my gosh, I have all these critical Is these highs, These mediums? I don't know what to dio. Um,
that makes it really difficult to prioritize your remediation effort. You know, if you if you hadn't been remediating and then all of a sudden it's like, Oh, man, we really need to have a push for this. It could be really challenging, Um, and can take a lot of time to kind of get you to that place where you can just maintain eso. That's that's definitely a common problem. I know I've seen
All right, so how can we resolve them? Because just knowing with problems are that doesn't help us. We need to figure out how we can resolve them.
Eso having someone on your security team, uh, who really understands security scanning, really? Whether they've got the training, they have the experience.
So when you can look for these common issues and help fix them with their you know, the system owners or the I T administrators, so checking often for authentication issues. You know, I know there's reporting tools that you can use
to help you identify authentication issues and then take them and report them to the system owners and say, Hey, we're having some authentication issues. Is the account locked? What's going on?
Ah, that can help resolve that Discovery scans. I mentioned this in the early module, but having those disco discovery scans running all the time, it will help you find potentially missing. I ps You know, maybe someone Ally T team didn't realize that the I p had changed or, you know, some something It happened. And maybe that didn't get related.
Eso those discovery scans can really help you find any of those missing eyepiece and figuring out,
ah, where they should go in your scans.
Ah, scan more frequent frequently. Um, think daily. Think weekly. Uh, it can be difficult again if you don't have the resource is for it. But trying to get to that daily or weekly scans that can really help you get a better picture of what's going on in the environment, Um,
and allowing your team to identify those false positives so saying, you know what? It's okay. We accept this risk. Let's not focus on this anymore. I don't want to see it.
I just want to focus on the important stuff.
Um, so focusing on this critical vulnerabilities first, I think that's always important. But again, with the caveat of understanding that you know your environment might be different, you need to you need to look at your environment and figure out what your critical assets are, as well as the critical vulnerabilities. If you have critical vulnerabilities on your critical assets, though, should come first.
Ah, and then looking for exploitable vulnerabilities.
That's definitely part of that
understanding. Kind of what's out there in the environment was actually exploitable. And then let's fix those,
um, and get ahead. I know, uh, in my patch management days, I had plenty of days where I would wake up at 4 30 try to get everything done before I went into work at seven. So
having your team focus on those remediation efforts, maybe for a month, maybe for two months, that can really help cut down on the amount of vulnerabilities that you have. If you can say, Listen, we got to take this one big push on and then we'll get these vulnerabilities remediated, and then you can move on to other projects that can help just to give that focus,
you know, from the executive leadership standpoint and say,
We got to get this done, take two months, get it on and it will focus on other projects.
So today we talked about what vulnerability scanning is. Why it's so important to have those, uh, effective vulnerability scans what code reviews are and how they're related to vulnerability management.
Some of those common issues that we see invulnerability, scanning and then how those issues can be resolved in an organization
on here. My references. I'll see you guys in the next lesson.