Security Manager's Journal: A new look at vulnerability scanners

They've improved, which raises some interesting possibilities for shoring up security defenses

In my last column, I wrote about the zero-day Java exploit that was making headlines at the time. In my search for countermeasures, I discovered that my company runs many different version of Java -- and for various reasons, those different versions may be necessary for the functionality of the applications that rely on Java.

This came as some surprise, because I figured (perhaps naively) that upgrading to the latest version would be a reasonable first step in protecting against the exploit by closing the underlying vulnerability, along with all the others that have accumulated over time in older versions of the Java platform. I assumed that older applications would still work on the newest Java version. Don't they make it backward-compatible?

I don't know enough about Java to judge the answer, but the developers tell me it's not true. We have to keep our older versions around, because the newer versions will break our applications. Great. That means I have half a dozen different vulnerable platforms instead of just one.

The search for a solution to this dilemma led me to vulnerability scanners. In order to find out which of my company's servers are vulnerable to the Java exploit, I needed to discover which systems are running Java, and which versions, so I could consistently deploy the right patches. A vulnerability-scanning tool would tell me this.

I've never been a fan of vulnerability scanners before now. It always seemed to me that a scoring system based on the raw number of vulnerabilities, whether confirmed or not, wasn't really all that useful. And I never thought the resulting reports were very good at defining what needs to be done to correct the vulnerabilities. In the end, all you really get from vulnerability scanning is a lot of unactionable raw data that doesn't have much value. But I admit it's been a few years since I've looked at the state of the technology.

So I decided to take another look at vulnerability-scanning products and services. I evaluated several options, and it looks like they've improved since I last checked. The reports are still full of false positives -- about half of the results didn't apply to the operating system I tested -- but the reports are pretty decent, with some amount of actionable remediation suggestions. And they were able to identify the vulnerabilities in Java, which was the driving factor for me.

The server team members now have their hands full closing Java vulnerabilities (and others), and the desktop team is equally busy. So overall, this was a good outcome. Once those holes are closed, I'm thinking of taking another step: basing a server-hardening standard off vulnerability scans. Until now, server hardening has been done based on a checklist I wrote, which was built from a list of best practices and recommendations found on the Web. With a vulnerability scanner to find weaknesses in my company's servers, coupled with a set of configuration and system changes, I'm thinking I should be able to reduce the overall attack surface of my servers. This is basically a feedback process, iterated through scanning and remediation, and that seems to me like a better process than the blind, one-way approach in use today. And that seems like a pretty good outcome from what was originally a search for a quick fix to a high-risk vulnerability.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at

Join in

To join in the discussions about security, go to

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by J.F. Rice

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place