Vulnerability scans: How effective are they for web apps?

Former Equifax CEO Rick Smith testified before Congress that the company did not identify the critical Apache Struts vulnerability that enabled attackers to breach its network this year. Specifically, Smith said the vulnerability scans did not identify affected versions of the Apache Struts software in Equifax's environment, leaving a web application flaw unpatched. How effective are vulnerability scans for web apps? Is it true that vulnerability scans must be directed at specific web app URLs and not just the host IP?

I have found that the Apache Struts vulnerability has been relatively easy to uncover since it first came out. No targeted URL scanning should be necessary, as three or four of the network and web vulnerability scanners that I use have been able to find this flaw.

In the defense of Smith and Equifax's IT/security team members, there's always a chance that the Apache Struts vulnerability may not have been properly identified. It all depends on the specific scanners that were being used, as you have to use multiple tools; who was running the actual tests, as many people have no formal training on the tools they use; and who was reviewing the vulnerability scans and rating the risks, as sometimes people have their own opinions regarding severity.

Something such as this could get mired in IT or security operations, or even delayed due to a lack of developer or third-party vendor support. There always seems to be someone -- or something -- with a reason that a flaw wasn't found or a patch wasn't deployed. Unfortunately, the reasons for this, as we've seen here, aren't often good enough.

Security teams who are fully on their toes by subscribing to security alerts or who are monitoring server and network behavior -- things that can point them in the right direction -- are in a position to resolve situations, such as the Apache Struts vulnerability, pretty quickly.

This oversight also underscores the importance of knowing your network.

This oversight also underscores the importance of knowing your network. I think it's safe to say that, given the complexity and the typical network environment, no one can truly say they know every nook and cranny of their network inside and out. However, when a business has more security team members than most businesses in this country have total employees, like Equifax does, one would expect low-hanging fruit, such as this data breach, to be discovered by vulnerability scans and mitigated within a reasonably short period of time.

In the end, this may have been a training problem, a lack of time management or a myriad of other issues. It's likely a complicated mix of oversights and misconceptions, which ties directly into culture. When one IT professional is blamed for such an event, then it may be time to re-evaluate leadership, IT oversight and security's priority within the organization.

Ask the expert:
Want to ask Kevin Beaver a question about security? Submit your question now via email. (All questions are anonymous.)