avatarTeri Radichel

Summary

The website content discusses the importance of security scans as a cost-effective alternative to penetration tests for small businesses, emphasizing the value of basic security scans and consulting to address obvious vulnerabilities before proceeding with more advanced penetration testing.

Abstract

The article "Do You Need a Penetration Test or a Security Scan?" by Teri Radichel addresses the challenge faced by small companies in affording comprehensive cybersecurity services like penetration tests. Radichel suggests that for businesses that have never undergone a penetration test, starting with a security scan may be more practical and cost-effective. Security scans can identify basic flaws, allowing developers to fix them, which in turn makes subsequent penetration tests more efficient and focused on complex vulnerabilities. The author highlights that while scanners are useful, they are not infallible and require expert interpretation. 2nd Sight Lab, Radichel's company, offers basic security scans along with a one-hour consulting call to help businesses understand and act on their reports. These services include web application security scans, cloud configuration scans, and network security scans, with the aim of making cybersecurity more accessible to small companies and helping them make better use of their security budgets.

Opinions

  • Teri Radichel believes that small businesses often cannot afford expensive security services, yet they need to ensure their systems are secure.
  • She opines that security scans are a good starting point for companies that have never had a penetration test, as they can reveal basic security flaws that are numerous and time-consuming to address.
  • Radichel suggests that teaching developers to identify and fix common vulnerabilities like cross-site scripting (XSS) can be more efficient and less costly than a full penetration test.
  • She emphasizes that scanners have limitations, often producing false positives or failing to find all vulnerabilities, which necessitates expert analysis.
  • The author advocates for the removal of "noise" from security reports by addressing known issues first, allowing for more effective penetration tests.
  • Radichel introduces new services from 2nd Sight Lab aimed at providing affordable security scans and guidance to small businesses.
  • She expresses a commitment to refining these services based on their effectiveness and customer feedback, indicating a willingness to adapt and improve offerings.

Do You Need a Penetration Test or a Security Scan?

If you can’t afford a penetration test or have never had one, a security scan may be a good place to start

I have been pondering this thought recently as a lot of security services cater to large companies and are very expensive. There are a lot of small companies that simply cannot afford those services even if they know they want to know if their systems are secure.

In addition, if there’s a small business that has never had a penetration test report, a security scan might be a more reasonable place to start. When I perform penetration tests for companies that have never had a penetration test I spend so much time addressing basic flaws that I don’t get very deep into more complex vulnerabilities.

Here’s why that matters. Once I find one, two, or three cross site scripting flaws (XSS) there’s a really good chance I can find about 25 or maybe 100 more. I just never have time to traverse the entire site beyond what the scanners do alone. And the scanners never find all the flaws. Even if they do find a flaw, they aren’t always right.

A lot of times a scanner will tell you that you have some sort of value reflected back on a page. Sometimes the scanner will produce hundreds or thousands of those findings. I have to go through them all to see which ones are legitimate and which ones are not.

Well, what if the developers got a report and I explained to them how to do it themselves and also, how to stop reflecting data onto pages? I could do that with one or two flaws for a much cheaper price than going through 1,000 potential cross-site scripting findings with a really basic report.

Then, once the developers figure out how to find and fix the cross site scripting flaws and eliminate them across the board to the best of their abilities, I can come back and run a real penetration test. This time I don’t have to do all the busy work of wading through 1,000 findings showing reflection and a potential vulnerability. All that noise is removed and I can focus more on what actually matters. I can test things the scanner can’t or doesn’t test and find things attackers will that scanners won’t.

And that is a much better use of my time and your money!

I want to find a way to make 2nd Sight Lab’s cybersecurity services accessible to more small companies, and also to help companies make better use of their cybersecurity funds, so we recently added a few new services consisting of basic security scans.

What is a security scan?

There are a lot of tools that will scan various aspects of your security configurations, networks, systems, and applications. Essentially you direct traffic over the network to a web application or IP addresses, or you log into a cloud environment and run a bunch of queries to inspect the configuration. In the end you get a report from whatever tool you are running. That report will tell you if you have security problems in your network, application, or cloud environment.

Sometimes the tools themselves are very expensive. Even if they are not, it takes time to learn how to configure and use them properly. A small business owner with a small staff may not have time to do that. There are some really basic scans we can run for small companies to help them find blatant vulnerabilities in their systems or networks.

A security scan will never find everything but a basic scan can help you find and remove the most obvious threats.

OK, you ran a scan and you have a report — now what?

Having a report is great but not if you don’t know what to do with that report. In addition to running basic scans of your cloud, applications, or networks, 2nd Sight Lab provides a one hour consulting call to explain to you what the report means and what to do about the things on it.

Do you already have one of those reports and want to know what it all means? We can help with that too. You can schedule a consulting call with us to discuss the report.

Web application security scan

A web application security scan consists of scanning a specific web application for security flaws. I explain how this is different from a penetration this on this page:

https://2ndsightlab.com/web-application-scan.html

Cloud Configuration Scan

Cloud misconfigurations are one of the biggest problems in cloud environments that lead to data breaches. A cloud configuration scan will help you understand what misconfigurations exist in your cloud environment and we provide a one hour consulting call to explain to you what they mean. Our report will provide links and guidance on how to resolve the problems we find.

https://2ndsightlab.com/cloud-configuration-scan.html

Network Security Scan

A network security scan will scan a range of IP addresses for vulnerabilities and network configuration problems. This type of scan can be performed inside or outside a cloud environment. This type of scan does not assess anything that requires system credentials.

https://2ndsightlab.com/network-security-scan.html

This is a trial run of these services to see how they work out. If it works well, we’ll keep doing it. If we have problems we may raise the prices or discontinue the services. Time will tell.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2024

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Penetration Test
Application Scan
Security Scan
Network Security Scan
Pentest
Recommended from ReadMedium
avatarJonathan Mondaut
How ChatGPT Turned Me into a Hacker

Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF challenges, all with the power of AI.

4 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarHelen Patton
The End of Cybersecurity in 2023

Will 2024 Be A Year of New Things?

4 min read
avatarAbhay Parashar
17 Mindblowing Python Automation Scripts I Use Everyday

Scripts That Increased My Productivity and Performance

14 min read
avatarKostas
Telemetry on Linux vs. Windows: A Comparative Analysis

A look at how Windows and Linux manage telemetry to support incident response operations.

8 min read
avatarVijay Gupta
How To Stay Ahead of 99% of Bug Bounty Hunters

The bug bounty ecosystem has exploded in recent years, providing security researchers, ethical hackers, and cybersecurity enthusiasts with…

14 min read