Vulnerability scanning
Introduction
Un veedu la lock weak ah iruntha, nee dhaan first ah find panni fix pannuva, illana thief find pannuvan! Same concept dhaan vulnerability scanning. 🔍
Vulnerability scanning = Un systems, networks, applications la weaknesses automatically find panradhu. Hackers find panna munna nee find pannanum — adhu dhaan goal!
Every organization ku mandatory. Un personal systems ku kooda useful. Let's learn how! 🛡️
What is a Vulnerability?
Vulnerability = Software, hardware, or configuration la irukku oru weakness — attacker exploit panna mudiyum.
Types of vulnerabilities:
| Type | Example | Risk Level |
|---|---|---|
| Software bugs | Buffer overflow, SQL injection | 🔴 High |
| Misconfigurations | Default passwords, open ports | 🔴 High |
| Outdated software | Unpatched OS, old libraries | 🟡 Medium-High |
| Weak encryption | MD5 hashing, SSL v2 | 🟡 Medium |
| Access control flaws | Excessive permissions | 🔴 High |
| Zero-day | Unknown, unpatched vulnerabilities | 🔴 Critical |
CVE (Common Vulnerabilities and Exposures) = Global vulnerability database. Every known vulnerability ku oru unique ID irukku — like CVE-2024-12345.
CVSS Score (0-10) = Vulnerability severity measure pannuradhu:
- 0.0-3.9: Low 🟢
- 4.0-6.9: Medium 🟡
- 7.0-8.9: High 🟠
- 9.0-10.0: Critical 🔴
Types of Vulnerability Scanning
Different scanning types — different purposes:
1. Network Scanning 🌐
- Open ports, services, OS detection
- Firewall misconfigurations find pannum
- Tools: Nmap, Masscan
2. Web Application Scanning 🕸️
- SQL injection, XSS, CSRF vulnerabilities
- OWASP Top 10 check pannum
- Tools: OWASP ZAP, Burp Suite, Nikto
3. Host-based Scanning 💻
- Individual system la installed software, patches check
- Registry, file permissions audit
- Tools: Nessus, Qualys, OpenVAS
4. Database Scanning 🗄️
- Database misconfigurations, default credentials
- Excessive privileges detect
- Tools: DbProtect, AppDetectivePro
5. Cloud Scanning ☁️
- Cloud misconfigurations (S3 buckets open, IAM issues)
- Compliance check (CIS benchmarks)
- Tools: ScoutSuite, Prowler, CloudSploit
| Scan Type | Target | Frequency |
|---|---|---|
| Network | Infra | Weekly |
| Web App | Applications | Per release |
| Host | Endpoints | Monthly |
| Database | DB servers | Monthly |
| Cloud | Cloud resources | Daily |
How Vulnerability Scanning Works
Scanning process step by step:
Step 1: Discovery 🔎
- Network la alive hosts find pannum
- Ping sweep, ARP scan use pannum
- "Enna enna devices irukku?" — first question
Step 2: Port Scanning 🚪
- Each host la open ports identify
- Services running on those ports detect
nmap -sV 192.168.1.0/24— service version detection
Step 3: Vulnerability Detection 🐛
- Known CVEs against detected services match pannum
- Version numbers compare — outdated ah check
- Configuration checks run pannum
Step 4: Analysis & Reporting 📊
- Findings categorize by severity
- False positives filter pannum
- Remediation recommendations provide pannum
Two approaches:
- Credentialed scan — Login credentials use panni deep scan. More accurate, more findings. ✅
- Non-credentialed scan — Outside perspective, no login. Faster but surface-level only. ⚡
Vulnerability Management Architecture
┌─────────────────────────────────────────────────────┐ │ VULNERABILITY MANAGEMENT LIFECYCLE │ ├─────────────────────────────────────────────────────┤ │ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ DISCOVER │───▶│ SCAN │───▶│ ANALYZE │ │ │ │ Assets │ │ Vulns │ │ Results │ │ │ └──────────┘ └──────────┘ └────┬─────┘ │ │ │ │ │ ▼ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ VERIFY │◀───│ REMEDIATE│◀───│PRIORITIZE│ │ │ │ Fixed? │ │ Patch/Fix│ │ By Risk │ │ │ └────┬─────┘ └──────────┘ └──────────┘ │ │ │ │ │ ▼ │ │ ┌──────────┐ │ │ │ REPORT │ → Dashboard, Compliance, Trends │ │ └──────────┘ │ │ │ │ ┌─────────────────────────────────────┐ │ │ │ SCANNING ENGINE │ │ │ │ ┌─────────┐ ┌──────────────────┐ │ │ │ │ │ Scanner │ │ Vulnerability DB │ │ │ │ │ │ (Nessus/│ │ (NVD/CVE feeds) │ │ │ │ │ │ OpenVAS)│ │ Updated daily │ │ │ │ │ └────┬────┘ └────────┬─────────┘ │ │ │ │ └────────┬───────┘ │ │ │ │ ▼ │ │ │ │ ┌──────────────────────┐ │ │ │ │ │ Targets: │ │ │ │ │ │ 🌐 Network devices │ │ │ │ │ │ 💻 Servers/Endpoints│ │ │ │ │ │ 🕸️ Web applications │ │ │ │ │ │ ☁️ Cloud resources │ │ │ │ │ └──────────────────────┘ │ │ │ └─────────────────────────────────────┘ │ └─────────────────────────────────────────────────────┘
Nmap — Network Scanner King 👑
Nmap (Network Mapper) = Most popular free network scanning tool.
Essential commands:
Nmap scan types:
| Flag | Type | Description |
|---|---|---|
| -sS | SYN Scan | Stealth, half-open connection |
| -sT | TCP Connect | Full connection, noisy |
| -sU | UDP Scan | UDP ports check |
| -sV | Version | Service versions detect |
| -sn | Ping Scan | Host discovery only |
| -O | OS Detect | Operating system guess |
Pro tip: nmap -sV --script vulners target.com — vulnerability database cross-reference panni results kaatdum! 🎯
OpenVAS — Free Vulnerability Scanner
🆓 OpenVAS (Greenbone) = Enterprise-grade free vulnerability scanner!
Setup (Kali Linux la):
Features:
- 50,000+ vulnerability tests (NVTs)
- Scheduled scanning support
- Detailed reports with remediation
- Web-based dashboard (Greenbone Security Assistant)
- Credentialed and non-credentialed scans
Best practices:
- Weekly automatic scans schedule pannunga 📅
- Credentialed scan use panna — 60% more vulnerabilities find aagum
- Custom scan policies create pannunga — un environment ku specific
- Results export panni tracking spreadsheet la maintain pannunga
Commercial alternatives: Nessus ($3,990/year), Qualys (cloud-based), Rapid7 InsightVM
Web Application Scanning
Web apps ku special scanning tools vennum — OWASP Top 10 vulnerabilities find panna.
OWASP ZAP (Zed Attack Proxy) — Free web app scanner:
What it finds:
- 💉 SQL Injection — Database manipulation
- 📜 XSS (Cross-Site Scripting) — Malicious script injection
- 🔓 Broken Authentication — Session/login flaws
- 📂 Directory Traversal — Unauthorized file access
- 🔑 Sensitive Data Exposure — Unencrypted data
- ⚙️ Security Misconfigurations — Headers, cookies
Scanning modes:
- Passive Scan — Traffic observe pannum, modify pannadu. Safe! ✅
- Active Scan — Actually attack payloads send pannum. Risky! ⚠️
- Spider/Crawl — All pages discover pannum
- Ajax Spider — JavaScript-heavy apps crawl pannum
Important headers to check:
| Header | Purpose | Missing = Risk |
|---|---|---|
| Content-Security-Policy | XSS prevention | 🔴 High |
| X-Frame-Options | Clickjacking block | 🟡 Medium |
| Strict-Transport-Security | Force HTTPS | 🟡 Medium |
| X-Content-Type-Options | MIME sniffing block | 🟢 Low |
Vulnerability Prioritization
Scan results la 1000+ vulnerabilities varum — ellaam fix panna mudiyaadhu. Prioritize pannanum! 🎯
Risk-based prioritization formula:
Risk = Severity × Exploitability × Asset Value
Priority matrix:
| CVSS Score | Exploitable? | Asset Critical? | Priority |
|---|---|---|---|
| 9.0+ | Yes | Yes | 🔴 Fix NOW |
| 9.0+ | Yes | No | 🟠 Fix in 24h |
| 7.0-8.9 | Yes | Yes | 🟠 Fix in 48h |
| 7.0-8.9 | No | Yes | 🟡 Fix in 1 week |
| 4.0-6.9 | Yes | Yes | 🟡 Fix in 2 weeks |
| 4.0-6.9 | No | No | 🟢 Fix in 30 days |
| 0.0-3.9 | Any | Any | 🟢 Next cycle |
Key factors:
- EPSS (Exploit Prediction Scoring) — Probability of exploitation in next 30 days
- CISA KEV — Known Exploited Vulnerabilities catalog. Idhu la iruntha = immediate fix! 🚨
- Asset exposure — Internet-facing vs internal
- Compensating controls — Firewall/WAF already protect pannudhaa?
Handling False Positives
⚠️ False positives = Scanner says vulnerability irukku, but actually illai!
Common causes:
- Version detection inaccurate — backported patches detect aagaadhu
- Generic signature match — context illama flag pannum
- Environmental differences — scanner's assumptions wrong
How to handle:
1. Verify manually — Actually exploit try pannunga (lab la!)
2. Cross-reference — Multiple tools use panni confirm
3. Check patches — OS vendor backported fix apply panniruppanga
4. Document exceptions — False positive confirm aana, exception create with justification
False positive rate benchmarks:
- Good scanner: 5-15% false positives
- Average scanner: 15-30%
- Bad scanner: 30%+ ❌
Tip: Credentialed scans = less false positives. Scanner actual installed versions check panna mudiyadhu without credentials!
Remediation Strategies
Vulnerability find aachchu — ippo fix pannanum! 🔧
Remediation options:
1. Patch 🩹 — Best solution
- Software update install pannunga
- Vendor-released security patches apply
- Test first in staging, then production
2. Mitigate 🛡️ — Can't patch? Reduce risk
- Firewall rules add to block exploit path
- WAF rules for web vulnerabilities
- Network segmentation — isolate vulnerable system
- Disable vulnerable feature if not needed
3. Accept 📝 — Risk accept with documentation
- CVSS low + no exploit available + internal only
- Business justification document pannunga
- Management sign-off vaanganum
- Re-evaluate periodically
4. Transfer 📋 — Risk transfer
- Cyber insurance
- Third-party managed service
Patch management best practices:
- Test patches in lab environment first ✅
- Schedule regular patch windows (monthly) 📅
- Emergency patches for critical CVEs — 24-48h ⚡
- Track patch compliance — 95%+ target 🎯
- Rollback plan always ready — patch breaks something? Revert! 🔄
Continuous Vulnerability Management
One-time scan podhaadhu — continuous ah pannanum!
Why continuous?
- New CVEs daily publish aagum (50+ per day!)
- Systems change constantly — new software, configs
- Attackers don't wait for your monthly scan
Continuous scanning pipeline:
- 📋 Asset Inventory — Know what you have (you can't protect what you don't know!)
- 🔍 Automated Scanning — Daily/weekly scheduled scans
- 🔔 Alert Integration — Critical findings → Slack/Teams/PagerDuty
- 📊 Dashboard — Real-time vulnerability posture view
- 🎫 Ticketing — Auto-create Jira tickets for findings
- ✅ Verification — Re-scan after fix to confirm
- 📈 Metrics — Track MTTD (Mean Time to Detect) and MTTR (Mean Time to Remediate)
Key metrics to track:
| Metric | Target | Why |
|---|---|---|
| Scan coverage | 100% assets | No blind spots |
| MTTD | < 24 hours | Fast detection |
| MTTR (Critical) | < 48 hours | Fast fix |
| MTTR (High) | < 7 days | Reasonable |
| False positive rate | < 15% | Efficiency |
| Patch compliance | > 95% | Hygiene |
✅ Summary & Key Takeaways
Vulnerability scanning essentials recap:
✅ Vulnerability = Weakness that can be exploited by attackers
✅ Scanning types — Network, Web App, Host, Database, Cloud
✅ Tools — Nmap (network), OpenVAS (free), OWASP ZAP (web), Nessus (commercial)
✅ Prioritize by CVSS + Exploitability + Asset Value
✅ Remediate — Patch > Mitigate > Accept > Transfer
✅ Continuous scanning, not one-time — new CVEs daily!
✅ Credentialed scans find 60% more than non-credentialed
✅ Track metrics — MTTD, MTTR, coverage, compliance
Remember: Vulnerability scanning is defense — nee find pannanum before hacker find pannan! 🔍🛡️
🏁 Mini Challenge
Challenge: Comprehensive Vulnerability Assessment
3-4 weeks time la vulnerability scanning end-to-end practice pannunga:
- Nmap Port Scan — Target system (lab environment) scan pannunga:
nmap -sV -A 192.168.1.100. Open ports, services, OS detection — document pannunga.
- OpenVAS Scan — OpenVAS install pannunga (free, open-source). Vulnerable VM (Metasploitable) scan pannunga. Vulnerabilities identify, severity levels understand pannunga.
- Web Application Scan — OWASP ZAP download pannunga. Local web app scan pannunga. SQL injection, XSS, CSRF vulnerabilities find panna practice.
- Nuclei Templates — Nuclei tool install pannunga (modern vulnerability scanner). OWASP Top 10 templates use panni scan pannunga.
- Vulnerability Remediation — Each vulnerability analyze pannunga. Fix priority (CVSS score), implementation difficulty assess pannunga. Patches apply pannunga, rescan pannunga.
- Report Generation — Professional vulnerability assessment report create pannunga. Executive summary, detailed findings, remediation roadmap — include pannunga.
- Metrics Tracking — Scan results track pannunga (Excel spreadsheet). MTTD (mean time to detect), MTTR (mean time to remediate) calculate pannunga.
Certificate: Nee vulnerability assessment expert! 🔍⚠️
Interview Questions
Q1: Vulnerability scanning vs penetration testing — difference?
A: Scanning = automated tools, point-in-time snapshot, identify vulnerabilities. Penetration testing = manual, extensive, exploitation attempt, business impact. Scanning = baseline, pentest = deep dive. Both important.
Q2: False positives vulnerability scanning la — epdhi manage?
A: Validation important — scanner result verify pannunga manually. Custom rules create pannunga false positives reduce panni. Whitelisting deprecated/false vulnerabilities. Regular tool updates. Experienced analyst review pannunga.
Q3: CVSS score — epdhi prioritize?
A: CVSS 9+: Critical, immediate fix. CVSS 7-8: High, weeks la fix. CVSS 4-6: Medium, months la address. CVSS <4: Low, routine patching. But context matter — critical system la medium vulnerability kuda high priority.
Q4: Credentialed vs non-credentialed scanning?
A: Non-credentialed = attacker view (external). Credentialed = internal view (employees). Both needed — 60% more vulnerabilities credentialed la find aagum. Scanning frequency — monthly minimum, weekly ideal for critical systems.
Q5: Vulnerability management program — enterprise level setup?
A: Asset inventory maintain pannunga. Scanning policy establish pannunga. Prioritization framework (risk-based). Remediation process define pannunga. Metrics track pannunga. Regular reporting executive level la. Continuous improvement.
Frequently Asked Questions
CVSS score 9.5, actively exploited in the wild, internet-facing server — what should you do?