Vulnerability scanning and management is part of attack surface management – indeed, some consider it to be the same thing. Is it, though? Let's find out.

What is External Attack Surface Management?

Attack surface management (ASM) is a continuous process of identifying, monitoring, and remediating security risks across an organisation's entire attack surface. External attack surface management focuses on the assets and posture of what is externally accessible, i.e., public-facing and discoverable on the internet.

 

What is the difference between External Attack Surface Management and vulnerability scanning?

Vulnerability scanning is a reactive, narrower process that only covers code-based vulnerabilities.

In particular, it is designed to find code-based vulnerabilities in software applications. i.e., where the software package or server software version has a security flaw that can be manipulated to obtain access or cause harm to the asset.

They are typically directed at a specific asset and don’t automatically discover new assets for inclusion. Vulnerability scans can be used to supplement the more expensive and more detailed penetration tests.

The main difference between external attack surface management and vulnerability scanning is that ASM is a proactive, continuous process that covers a broad range of security checks.  

External ASM tools identify potential security risks across an organisation’s entire public-facing attack surface. Not only do ASM tools provide detailed information about each asset and find new ones,  but they also provide information that is not asset related e.g., breached passwords, email configurations, DNS (Domain Name Service), SSL. This provides insight into many security configuration settings that go beyond code vulnerabilities.

And it’s not just the breadth of coverage that makes them different. ASM scans are regular and automated. Compare this with vulnerability scanning which tends to be a reactive process, often only performed when a new software release is done or when a security patch is applied.

In summary, vulnerability scanning tools are part of the external attack surface management story but do not provide a complete picture of an organisation's attack surface.

Reporting vs tracking

Many vulnerability scanning tools produce reports with the findings ranked for severity. Useful, sure, but identifying issues is only part of the job – the next step is tracking those items, remediating them, and validating the change.

A rich attack surface management tool not only raises issues and risks but also creates work items that can be addressed – so that risks can be tracked and managed over time. This combined picture of security posture on open and closed items is simpler to manage and share with key stakeholders from the cyber team up to company directors.

To see how Glasstrail provides a complete picture of your external attack surface weaknesses, try it for free for 14 days. No holds barred – see where your gaps are and how you can address any issues.