Cloud scanners are becoming more common these days. Pricing is a lot cheaper than on premise scanners. My concern with cloud scanners is that they store sensitive information on 3rd party network. (I am not sure if the sensitive information only include scan result). Is there any other information cloud scanner may store besides scan result? I know when I was taking cyber law and compliance classes, I remember some of them(HIPPA, SOX, PCI) required different set of rules for transferring personal information to another site. Should I be concerned with this when using Cloud web application scanner whether it is SAST or DAST? What are you experiences and thoughts on cloud scanners vs on premise ones?
Asked
Active
Viewed 193 times
0
-
1I think this varies a lot depending on which service you use. – Philipp Sep 04 '14 at 17:56
-
Most common one is DAST. I do not know of very many SAST tools that are cloud. They are mostly DAST. – DoodleKana Sep 04 '14 at 20:08
-
2on-premise ones can scan test versions of the site before they go public ... – schroeder Sep 04 '14 at 23:24
-
That is true. Any other differences? I am looking for more in depth answer maybe from someone who has used both. – DoodleKana Sep 05 '14 at 15:06
1 Answers
3
I have used both. You will get different results with a cloud based scanner versus an on premise scanner.
Typically an on premise scanner would perform authenticated scans against your assets with no port restrictions, or hindrance from other security devices. This gives you a true snapshot of system vulnerabilities.
Cloud based scanners typically scan your externally facing assets, unauthenticated and must traverse the same infrastructure an attacker would. (IPS, WAF, firewall, etc) This gives you an idea of what an attacker would see.
They both paint a different picture of your network and are typically used in tandem, not in lieu of.
Now, with that being said, maybe you are allowing a cloud based scanner unadulterated access to your internal network which I personally would advise against.
Common information gathered by a vulnerability scanner:
- Networks
- IP addresses
- MAC addresses
- Operating systems
- Installed applications
- Hardware specifications
- Open ports
- Running services
- Running processes
- Shares
- Users / Groups
- Domain / Workgroup membership
- Event logs
- Registry keys
- Any vulnerabilities found
There is a chance that some PII could be contained in scan results. For example, many scanners allow you to review the details of a finding.
Checked for: (SSN Regex) Found: 112 25 0027
k1DBLITZ
- 3,933
- 14
- 20
-
I think this is a fair answer. It highlights differences of both scan types and what information cloud one stores. – DoodleKana Sep 05 '14 at 17:53
-
Another thing to highlight here is that for cloud solutions you want to make sure that the 3rd party's security policy is either equal or greater than your own org security policy. This has to be carefully done by your internal org audit team. – DoodleKana Sep 08 '14 at 22:55