A guide to choosing the right vulnerability scanner

TLDR;

If you aim for low effort and want to focus on externally accessible systems (highest risk potential!) Offensity is the ideal entry-level product. It will save experienced security teams and professional IT admins a lot of effort. (Naturally, we are biased towards this product. So, if you are skeptical, see yourself and try our product – get free vulnerability scans for 1 domain and up to 10 subdomains!)

However, companies with high security requirements - including internal systems - cannot do without a scanner for the internal network, such as Tenable Nessus or Nexpose.

Especially when working in web development or with a particularly large number of web applications, it is also worthwhile to purchase a web scanner such as Qualys or Acunetix.

Product internal/external Web/Network SaaS/On-Premise New vulnerabilities detected quickly Time and effort
Offensity external Network SaaS Yes Low
OpenVAS external and internal Network On-Premise No High
Tenable Nessus external and internal Network On-Premise or SaaS No High
Nexpose external and internal Network On-Premise or SaaS (external) No High
Qualys external web SaaS No Medium
Qualys internal web Hardware No High
Acunetix external web On-Premise or SaaS No Medium
Acunetix internal web On-Premise No High



The choice of vulnerability scanners is vast. Which criteria should you use to decide? And which one is best suited to your use case? This guide tries to help in making a good decision.

Internal or external?

Systems that are accessible from the Internet can be attacked by attackers from around the world 24 hours a day, seven days a week. They are often the primary target of attack because they are constantly available and can be discovered "by accident" in mass attacks.

Internal networks are often accessed by attackers via malware that employees download from the Internet or receive by e-mail. An attacker must be highly aggressive and include serious criminal intent to carry out such an attack. Often, the attack path also begins at externally accessible systems, allowing the attacker to jump into the internal network.

“Web” or “network”?

Pure web scanners only check web applications for security vulnerabilities. What good is it for a company to have a super-secure website if the data can be read and modified via a file server (like FTP) without logging in? Web scanners are specialized vulnerability scanners that are most likely to pay off for software vendors and companies with a particularly large number of web applications. These include, for example, the web application scanners from Qualys or Acunetix.

Network scanners check (at least in theory) all services accessible via the network. They provide a more comprehensive picture of the vulnerabilities in an IT environment. These scanners often have their greatest weaknesses in checking web applications (this is also the reason why web scanners have become established as a specialized form of vulnerability scanner). They usually check web applications only superficially and without authentication. Network scanners are, for example, Offensity, OpenVAS (open source), Nessus from Tenable or Nexpose from Rapid7.

A network scanner is usually the best basis for vulnerability scans and can be recommended as a first step. If the network scanner's capabilities are no longer sufficient for complex websites, it can be supplemented by a web scanner. Very large companies usually cannot avoid using web and network scanners in parallel.

SaaS or On-Premise?

Some vulnerability scanners are available as software that must be installed on a server (On-Premise). It is important to note that the server and its operation (ongoing updates, configuration management, etc.) incur costs in addition to the licenses. As a rule, the data does not leave your own network.

When using a service provider (Software-as-a-Service/"SaaS"), the provider usually provides a web dashboard and the customer does not have to take care of the setup nor configuration.

Photo by Matthew Henry on Unsplash

How quickly are new vulnerabilities identified?

It only takes a few hours to days for a newly published vulnerability to be actively exploited by attackers to take over target systems. However, if scanning is done only at long intervals (e.g., monthly), a lot of time usually elapses from the time it becomes known until new vulnerabilities are detected. While this is usually not too critical for internal systems, it can be fatal for external systems (accessible from the Internet).

Most scanners need to perform a full scan (at least of the dependencies) to detect a new vulnerability. This can take up to several hours per system. Offensity is the only vulnerability scanner that can draw on data from past scans to detect new vulnerabilities more quickly. The scans are started automatically when new vulnerabilities become known and do not require any manual interaction.

How costly are support and operation?

Typical reports of vulnerability scanners are bloated and can only be interpreted correctly by in-house security personnel. Additional (expensive) personnel costs are the consequence or manually following-up on the automated reports is neglected if the team has too many more urgent things to do. Therefore, simple and clear presentation of the results is worth a lot. A report from Tenable Nessus can have over 100 pages, contain redundant information and is difficult for system administrators to interpret.

Offensity's reports are simple and clear, providing every administrator with enough information to easily fix vulnerabilities.


By the way, you can also use Offensity for free. Simply register and set it up.