Commentary on what tools a customer can utilize to perform vulnerability scans using either open source or 3rd party vendor solutions.
Content / Solution:
With each passing day, more and more SaaS companies push their wares into the public cloud. One of the challenges that they face revolves around security. How does a customer ensure their software is protected? With the recent revelations from the Heartbleed OpenSSL exploit, it underscores the need to perform routine maintenance activities such as:
- Ensuring best practices are used when configuring software for the bare minimum configuration needed to function
- Patching the OS and related software components for any vulnerabilities identified by software vendors
- Regularly performing vulnerability scans of the environment for security holes
While the first two points are usually covered by most, the last one and vulnerability scanning not so much. Although its not a perfect science where a scan will reveal all security weaknesses present in an environment, its one more tool that can be used to help combat a would be hacker from exploiting a server or application.
Here are a few links to some open source projects as well as commercial options aimed at addressing this particular issue:
- Nmap - http://nmap.org/
- OpenVAS (Open Vulnerability Assessment Scanner) - http://www.openvas.org/
- Nexpose - http://www.rapid7.com/products/nexpose/
There are many other solutions out there that can be used to do vulnerability scanning. In fact, its RECOMMENDED that you use a multi-tiered approach and scan your environment(s) using different tools. In the end, whether you're in a physical environment or in the cloud, proactively scanning and performing routine maintenance on your infrastructure will help keep it free and clear of security issues.
IMPORTANT NOTE: All such scanning must be limited to your specific Cloud Networks and/or Cloud Network Domains. Scanning of other IP space and/or the IP space used by the CloudControl infrastructure is an AUP (Acceptable Use Policy) violation.