Chapter 82 · Concepts

Vulnerability Scanning — Concept Maps

Structured breakdowns and comparisons for vulnerability scanning vs. penetration testing, internal vs. external scans, SAST, fuzzing, package verification, and severity triage.

Vulnerability Scanning vs. Penetration Testing
PropertyVulnerability ScanningPenetration Testing
GoalIdentify potential weaknessesConfirm weaknesses are exploitable; measure actual impact
ExploitationNone — scanning only; no attacks launchedActive exploitation of confirmed vulnerabilities
InvasivenessMinimally invasive; production-safe in most casesIntentionally invasive; can crash services, modify data
OutputList of potential vulnerabilities by severityConfirmed vulnerabilities + attacker pathway demonstration
FrequencyContinuous or regularly scheduled (weekly, monthly)Periodic engagements (annual, post-major-change)
AnalogyChecking which doors are unlockedWalking through the unlocked doors and mapping what's inside
Internal vs. External Scanning — Two Perspectives
PropertyExternal ScanInternal Scan
Scan positionOutside the network perimeter (internet-facing)Inside the network perimeter
Attacker modelExternal attacker with no prior accessInsider threat, compromised account, or post-breach lateral movement
What it findsInternet-facing services, open ports on public IPs, exposed APIs, public-facing serversInternal devices (workstations, printers, databases), shadow IT, unauthorized devices, internal-only services
Common misconception"We don't need internal scanning because we have a firewall" — false; insiders and post-breach attackers operate inside the perimeter
Required together?Yes — external alone misses internal vulnerabilities; internal alone misses internet-facing exposure. Both are required for complete coverage.
SAST — What It Finds vs. What It Misses
CategorySAST Can FindSAST Cannot Find
Memory safetyBuffer overflow patterns, unsafe C functions (strcpy, gets, sprintf)Heap corruption that only manifests with specific runtime inputs
InjectionSQL string concatenation patterns, unescaped output to HTML contextSecond-order injection where stored data is used safely in one place but unsafely in another
CredentialsHardcoded passwords, API keys in source codeCredentials passed at runtime via environment variables (not in code)
CryptographyUse of deprecated algorithms (MD5, SHA-1, DES)Correct algorithm used incorrectly (AES-ECB mode, wrong IV reuse, improper key management)
AuthenticationMissing authentication checks on individual routes (sometimes)Authentication design flaws — race conditions, session predictability, token entropy issues
Business logicNothing — SAST does not understand business intentAll business logic vulnerabilities (price manipulation, workflow bypass, privilege escalation through intended features)
Fuzzing — Synonyms and Anomalous Response Indicators
CategoryDetails
Synonyms for fuzzing on the examFault injection, robustness testing, negative testing, syntax testing — all describe submitting unexpected input to observe behavior
What a fuzzer submitsRandom data, boundary values (0, -1, MAX_INT, empty string, null), oversized input, malformed structure, encoding variants, protocol-invalid sequences
Anomalous responses that indicate a vulnerabilityApplication crash or segfault, unhandled exception with stack trace, HTTP 500 server error where 400 was expected, memory corruption indicators, timeout or freeze, unexpected output (data leak)
Why anomalous response = potential vulnerabilityCrash or error on malformed input reveals the code path that an attacker would seek to control — buffer overflow, null dereference, logic error. The same crash an attacker would try to trigger and exploit.
Fuzzing is dynamic — application must be runningComplements SAST (static, no execution needed). Together they cover different vulnerability classes.
Historical origin1988, University of Wisconsin, Professor Barton Miller, "OS Utility Program Reliability" course — the Fuzz Generator project demonstrated random input reliably exposed UNIX utility flaws
CERT BFFCERT Basic Fuzzing Framework — Carnegie Mellon University; structured, accessible fuzzing environment for organizational use
Package Monitoring — Supply Chain Verification Techniques
TechniqueHow It WorksWhat It Detects
Digital signaturesPackage maintainer signs the release with their private key; consumer verifies with maintainer's public key before installationPackages modified after publication; packages from unexpected sources
Hash validationCompare SHA-256 (or SHA-512) hash of downloaded file against hash published by maintainer on official channelAny modification to the file — even a single byte changes the hash
Repository authenticationConfirm download came from official repository, not a mirror, fork, or third-party hostTyposquatting packages, unofficial forks with injected code, compromised mirrors
Lab testing before productionDeploy package in isolated environment; observe behavior before production rolloutMalicious behavior that static checks miss; unexpected network connections, file system changes
Continuous CVE monitoringTools (OWASP Dependency-Check, Dependabot, Snyk) track all installed dependencies against CVE databases; alert when a CVE is published for an installed versionKnown vulnerabilities in currently installed dependency versions; eliminates gap between "CVE disclosed" and "organization aware"
Vulnerability Severity Triage — The Post-Scan Workflow
StepActionWhy It Matters
1. Review findingsExamine each scanner finding individually; understand what the scanner detectedScanners generate hundreds of findings across many systems; raw output is not actionable without review
2. Verify against actual systemConfirm the vulnerability exists as reported; check whether compensating controls applyEliminates false positives before remediation is scheduled; prevents wasted patching effort
3. Classify severityRate each confirmed finding: Critical, High, Medium, Low, or InformationalNot all vulnerabilities are equal; severity drives remediation timeline
4. Prioritize by exploitability and contextCritical/High findings on internet-facing or data-holding systems get immediate attention; Medium/Low addressed in scheduled maintenanceAttempting to fix everything simultaneously is operationally infeasible; prioritization makes remediation sustainable
5. Remediate and rescanApply patches, configuration changes, or workarounds; rescan to confirm resolutionRemediation without verification leaves false confidence; rescan closes the loop