Page 1094 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1094
As with most tools, the capabilities for various vulnerability
scanners vary quite a bit. Before using a scanner, you should
research it to make sure it meets your security control objectives.
Web vulnerability scans are an important component of an
organization’s security assessment and testing program. It’s a good
practice to run scans in the following circumstances:
Scan all applications when you begin performing web vulnerability
scanning for the first time. This will detect issues with legacy
applications.
Scan any new application before moving it into a production
environment for the first time.
Scan any modified application before the code changes move into
production.
Scan all applications on a recurring basis. Limited resources may
require scheduling these scans based on the priority of the
application. For example, you may wish to scan web applications
that interact with sensitive information more often than those that
do not.
In some cases, web application scanning may be required to meet
compliance requirements. For example, the Payment Card Industry
Data Security Standard (PCI DSS), discussed in Chapter 4, “Laws,
Regulations, and Compliance,” requires that organizations either
perform web application vulnerability scans at least annually or install
dedicated web application firewalls to add additional layers of
protection against web vulnerabilities.
In addition to Nessus, other tools commonly used for web application
vulnerability scanning include the commercial Acunetix scanner, the
open-source Nikto and Wapiti scanners, and the Burp Suite proxy tool.
Database Vulnerability Scanning
Databases contain some of an organization’s most sensitive
information and are lucrative targets for attackers. While most
databases are protected from direct external access by firewalls, web
