What is Security Scanning
Security scanning or vulnerability scanning can be described as scanning the security and identifying vulnerabilities of product, website, file system or network. There are variety of security scans available to scan different aspects of the product.
Types of Security Scans
Static Application Scan on Cloud: This is used to scan the entire deliverable source, binary or byte code of the product to identify vulnerabilities along with its root causes. It will analyse the product from inside out by analysing the code which do not need any runtime environment. Once scan will be done, SAST tool sends the report containing list of vulnerabilities like insecure cryptographic, unprotected authentication credentials, etc.
This scan is important because it will identify the root cause of critical vulnerabilities which can be analysed, fixed and tested during the development phase before deploying it to the staging and production environments.
Dynamic Application Scan on Cloud: This scan runs in runtime environment to identify vulnerabilities for containers running in staging and production environments and it is also a process of analysing the web console of the product to find vulnerabilities immediately that could be exploited via potential attacks. This approach of security scanning evaluates the product from outside in by attacking a product like malicious user would. Once scan will be done ,DAST tool sends the report with the list of issues like SQL Injection, Unnecessary Response Header, etc.
This scan is important because it can be conducted during SDLC and one can catch the vulnerabilities in product before it's deployed to the production for public users.
Twistlock Scan: This scan is carried out by Twistlock Scanner tool which runs against the latest set of deployed images. It runs both a vulnerability and compliance scan, as a results it gives the list of vulnerable CVEs(Common Vulnerabilities and Exposures) and the severity of the vulnerability as Low, Medium and High. By running Twistlock scans one can easily remove the vulnerable package if analysis says your product is affected as location of the vulnerable package and the version the vulnerability is fixed given in the results.
WhiteSource Scan: This scan will enable you to analyse the open source libraries for security purposes. It will scan the repository where WhiteSource tool is installed and as a result it will list out all the libraries containing vulnerabilities with the detailed information about the vulnerable package and suggests the possible fixes to remediate the issue from the packages. It also raises the issue/task in your repository against the CVE found in results and once the issue will be remediated it will be removed from the list of vulnerabilities in the next scan.
Vulnerability Assessments Scan: This scan is the process for review of security weaknesses in the IT environment. It needs all products, applications, networks, third party products, etc to be scanned to identify the vulnerabilities, it also helps in assigning the severity levels to the different vulnerabilities and prioritise them.
Go-sec Scan: This scan is accomplished by using security tool which scans the code written in GoLang for security flaws. Gosec include scanning for unsafe data usage, sql query flows, etc.