Internal Vulnerability Scan Report
https://stackoverflow.com/questions/11521432
-
21-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian質問
How do I write an Internal Vulnerability Scan Report for my project?
Do I have to use a tool to generate this report?
I have searched on the web related to this but I have been unable to understand it.
解決
An internally vulnerability scan is normally performed by an automated tool. There are many on the market including both FOSS and commercial software. If you don't know where to start looking then the list of Approved Scanning Vendors (ASVs) on the PCI website is a good place to start. You don't have to use an ASV for the internal scan but they will certainly have products that can help you.
An internal vulnerability scan will normally be run from a console which has access to the internal environment. It will start off with network probes and work its way up the stack depending on what it finds. Given it is an automated scan, don't expect it to provide the same level of detail as a targeted penetration test but it is a good start to see where your security is.
It would be quite unusual to write your own vulnerability scanner as it requires specialist knowledge of networks, operating systems and applications as well as security vulnerabilities. And it needs to be kept up to date as new vulnerabilities in the stack are found. If you have all of these skills then there are probably jobs out there for you with one of the commercial companies!
