Picking Your Vulnerability Scanner: The Questions You Should Ask

What you need to know about picking the right vulnerability scanner for your organization.  

Not all vulnerability scanners are created equal, and despite what many think, there isn't a "one size fits all" scanner. Your business is unique; that also means you may have different vulnerabilities than the business next door.

Here are some questions you need to ask about your business and about your potential vulnerability scanner.

See also: SecurityMetrics Vulnerability Scanning FAQ

What will my vulnerability scanner do?

Vulnerability scans assess your computer, network, and systems for potential vulnerabilities hackers could exploit. This is helpful for you to figure out where your business may be open to attack.

See also: How Long are Businesses Vulnerable Before a Security Breach?‍

‍What types of vulnerability scans does my business need?

‍There are two main types of vulnerability scans: internal and external.

• An internal vulnerability scan scans other hosts on the same network to identify internal vulnerabilities within a business network
• An external vulnerability scan works from a location external to your IPs and identifies known weaknesses in network structures.

Many businesses may not realize they often need to perform both types of vulnerability scans to fulfill PCI requirements.

See also: Perimeter Scan Vs. External Vulnerability Scan

‍Should I consider free vulnerability scanners?

‍There are advertisements for free vulnerability scanners, but you basically get what you pay for. These scanners aren't PCI approved, and they don't scan deep enough into the systems to find anything. If you want a scanner that finds all the vulnerabilities, you'll need to pay the money.

Start a vulnerablility scan on your network and find vulnerabilities today

Learn More

How often should I do a vulnerability scan?

PCI DSS requires that you should do quarterly internal and external vulnerability scans. You should also scan after any significant change in equipment, software, or updates.

See if the organization providing your scanner will do unlimited scans per target to help minimize the cost.

How much does the vulnerability scan fulfill PCI requirements?

Most vulnerability scanners fulfill the basic requirements that PCI DSS has set up, but there are scanners that go beyond the requirements. If your business is dealing with sensitive information, it may be good to get a scanner that takes care of issues not specifically stated in PCI requirements.

See also: Vulnerability Scanners 101: What, Why, and How to Comply

How many false positives does the scanner report?

False positives are when a vulnerability scanner detects a vulnerability that isn't one. This usually happens with a bug that’s been patched up. When selecting a scanner, you’ll need to consider false positives. The more false positives, the more time you spend sifting through issues. An ideal scanner has few false positives.

How often does the scanner update?

The frequency of updates changes with each scanner. Some update monthly, weekly, or even daily. Since attackers are constantly changing tactics, you should find a scanner that updates frequently to combat these attacks.

Remember, when choosing your vulnerability scanner, you must decide what works best for your business. Consider you company’s unique needs and find the best scanner to keep your business secure.

See also: 10 Qualities To Look For When Selecting an Approved Scanning Vendor

Infographic: How to Choose the Best Vulnerability Scanner

Check out our infographic, How to Choose the Best Vulnerability Scanner, to help you select the right vulnerability scan tool for your organization.