Does vulnerability scanners discover all vulnerabilities?

blog + DevSecOps + Website security Z. Oualid today

share close

Vulnerability scanners are one of the best cyber security solutions that you can use to secure your network. However, one of the most known myths that I always hear about and I see people asking about it is Does vulnerability scanners discover all vulnerabilities?

The vulnerability scanners available in the market now are incapable of discovering all possible application vulnerabilities.

The reasons behind this inability to detect the application vulnerabilities are multiple. In this blog post, we will see a list of some of those reasons with a deep explanation of each one of them by examples.

Why vulnerability scanners cannot discover all vulnerabilities?

Code coverage

One of the most common reasons why vulnerability scanners cannot discover vulnerabilities is the code coverage of the tool. Code coverage is the amount of application code a vulnerability scanner can reach during a scan. The more code is reached the more likely to find vulnerabilities.

Unfortunately, not all vulnerability scanners have the power and the technology to reach the deeper part of the application. Especially when dealing with a black box vulnerability scanner.

Code coverage is related to multiple parameters, like constraint solving where some conditions in the application source code need to be met so that the application code runs correctly (for example running a part of the code only at midnight). If this condition is not satisfied the vulnerability scanner would never be able to reach that part of the application.

While trying to solve the code coverage of the vulnerability scanner another challenge rise called path explosion. While walking through the application source code the number of paths that the scanner needs to cover get bigger and bigger exponentially. In this situation, the number of requests, the computer memory needed to perform the test will all become a limitation for the tool to discover more vulnerabilities in the app.

Time to run

Even if we discover a way to solve the code coverage problem, the time needed to perform a vulnerability scan will always remain a problem, at least until we start using supercomputers.

Solving the code coverage problem, means covering all the application paths and source codes. With the actual proposed solutions by security researchers, the time to run all those paths remains too long to be used in a professional application scan.

Business logic

A big part of the standard and basic vulnerabilities can be avoided by the development team if they have implemented a DevSecOps environment. This is due to the static analysis phase and the structure of those basic vulnerabilities that have a well-defined pattern.

Fortunately, a lot of software development companies have already started using the DevSecOps process and we have noticed a reduction in the number of basic vulnerabilities discovered in modern applications. Modern development technologies have also contributed to the reduction of such vulnerabilities by forcing developers to use the best practices will developing new applications.

However, another type of vulnerability still exists and is even more complex to discover and dangerous. Business logic vulnerabilities are one of those types of vulnerabilities that until now there is no effective solution that can discover all of them.

The reason for this inability to find those vulnerabilities automatically is the nature of those business logic vulnerabilities. Business logic vulnerabilities are not always the same. This simply means that finding the same business logic vulnerability in two websites will require a wholly different logic.

Moreover, business logic vulnerabilities require a deep understanding of the actual job, for which the application was developed to be able to discover its weaknesses. This alone will require the use of some kind of artificial intelligence to be able to solve it.

For more information about this type of vulnerability here are some blog posts where I have written a detailed explanation about them:

What type of vulnerabilities do vulnerability scanner find?

The vulnerability scanners available now in the market use two main methods to find vulnerabilities:

  1. Using a database of already published vulnerabilities

In this technique, the vulnerability scanner tries to detect the version of each component used by the application and search its database to see if it is vulnerable. This technique is very limited and will only detect the vulnerabilities that are already discovered by security researchers in the most commonly used applications.

  • Using a database based fuzzing technique

This technique is based on a database of knowledge that the tool vendor has already made to guide the fuzzer included in the tool. This technique is very efficient in detecting the most common vulnerabilities like SQL injections, XSS, and others.

In this technique, the tool sends multiple inputs to the application to either track the data flow to see what happens to its input or try to crash the application.

Fuzzers are the most used tool also by security researchers to find deeper vulnerabilities in some commonly used applications. However, even those tools suffer from the problems I have mentioned earlier (code coverage, physical limitations, and time).

What are the most recommended vulnerability scanners?

Even with those limitations that we have discussed in this blog post, vulnerability scanners are still important to enhance the security of your application. In addition, these tools are part of the DevSecOps process precisely in the dynamic security testing phase.

Therefore, here is a list of some of the most popular and efficient tools in the market with some reviews about each of them based on my own experience with it.

  • Acunetix

I guess the most popular vulnerability scanner in the market is Acunetix. This tool gives some good results when dealing with basic vulnerabilities, like SQL injection, XSS, and others. However, according to some code coverage experimented on multiple tools, Acunetix was not the best one among them.

This tool can easily be integrated into DevSecOps due to the CI/CD features that it offers to the users.

  • Netsparker

Netsparker was mainly designed to be easily integrated into a DevSecOps process. this tool is very similar to Acunetix with a more focus on CI/CD.

  • Immuniweb

Immuniweb is a nice tool for scanning web applications for vulnerabilities as it combines both the power of automation using AI and human penetration test. However, the main problem with this tool is that it is only available in a SaaS format.

Written by: Z. Oualid

Rate it

About the author

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).

Previous post
Cloud DevSecOps



blog Z. Oualid

What is cloud DevSecOps ?

When we speak about secure development and how we can speeds up the development process the first concept that gets into our head is the DevSecOps. More and more companies ...

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *