AWS Vulnerability Management Best Practices [Cheat Sheet]

Tired of chasing hidden vulnerabilities in your AWS environments? Our cheat sheet offers actionable steps to identify, assess, and mitigate critical AWS vulnerabilities.

Top OSS Vulnerability Scanners [By Category]

Vulnerability scanning is an integral component of every vulnerability management program, providing security teams with insights needed to address vulnerabilities before they become attack vectors. When conducted regularly, vulnerability assessments offer asset discovery and visibility, attack surface management, and compliance enforcement.

Wiz Experts Team
7 minutes read

Vulnerability scanning is the process of identifying and analyzing security flaws in various layers of your IT stack, including networks, endpoints, and cloud environments. 

A common problem in software applications is that vulnerabilities stem from code flaws, misconfigurations, security policy weaknesses, or software supply chain risks—for example, nearly half of enterprises have at least one database or storage bucket publicly exposed to the internet. Vulnerability assessment tools detect these security risks by comparing software versions, code, and (system and network) configurations against a database of known vulnerabilities, such as the Common Vulnerabilities and Exposures (CVE) database. 

Vulnerability scanning is an integral component of every vulnerability management program, providing security teams with insights needed to address vulnerabilities before they become attack vectors. When conducted regularly, vulnerability assessments offer asset discovery and visibility, attack surface management, and compliance enforcement.

Key considerations for vulnerability scanners

When choosing a vulnerability scanner, it’s important to consider several critical factors. These factors not only determine how effective vulnerability detection is but also impact how easily vulnerability scanning can be integrated into DevOps workflows and CI pipelines like GitLab CI, Jenkins, and Azure DevOps. 

For example, keep the following in mind:

  • To develop secure-by-design apps, DevSecOps teams need vulnerability scanners that automatically trigger a scan as part of the build process whenever code is committed. This enables near-instantaneous vulnerability detection, an important part of shift-left testing. 

  • Stakeholders should consider how exhaustively the tool scans and correlates critical vulnerabilities across workloads. An ideal tool offers various types of vulnerability scans, including cloud infrastructure, network, application, and host scans. Such a tool will provide a holistic view of configurations and seemingly innocuous combinations that actually put your stack at risk of cyberattacks. 

  • The scanner should deploy agentlessly, reducing the complexity and overhead associated with using it. It should also integrate with vulnerability management solutions to facilitate ongoing management throughout the vulnerability lifecycle. 

  • The scanner must accurately detect and prioritize vulnerabilities according to criteria like vulnerability severity, asset exposure, and criticality to business operations. 

Top open-source vulnerability scanning tools

Though it's best to have a vulnerability scanner capable of scanning multiple components of your stack, most scanners out there tend to focus on a single layer. Here are our top-rated picks listed by type—based on the layer they secure:

Tool TypeTool NameCapabilityStrengthLimitation
Network vulnerability scannersAircrack-ngMonitoring wireless networksSeamless packet injectionMay take hours or days to effectively detect and exploit vulnerabilities
Network vulnerability scannersMasscanNetwork troubleshooting and security auditingFast scansMust be integrated with vulnerability management tools for comprehensive vulnerability insights
Application vulnerability scannersArachniWeb app security testingCustomizable and distributed scansCannot effectively detect vulnerabilities related to business logic (e.g., authorization bypass)
Application vulnerability scannersBurp SuiteWeb application scanning and testingEnables active and passive scansLacks automated scans, making real-time vulnerability detection impossible
Container vulnerability scannersClairStatic container vulnerability scanningCan be customized to suit various use cases without forkingLacks runtime scanning capabilities; can only analyze images at rest
Container vulnerability scannersAnchore EngineContainer vulnerability scanning and compliance managementCan be integrated into CI pipelines for automated scansFocuses on popular OS and software packages; may overlook vulnerabilities in custom-built apps
Code vulnerability scannersKICSIaC code scanning and compliance assessmentVulnerability risk scoresOffers static scans only; may generate false negatives
Code vulnerability scannersGitleaksGit code scanningGit history and version scanningIts regex scans may result in false positives
Endpoint vulnerability scannersLynisEndpoint security auditing and hardeningHighly extensibleIdeal for Unix-based operating systems only
Endpoint vulnerability scannersOSSECEndpoint vulnerability scanning and compliance checksHost-based intrusion detectionRequires extensive manual tuning to reduce false positives

Network vulnerability scanners

Network vulnerability scanners assess LANs, servers, and systems for security risks, such as outdated software, misconfigurations, suspicious traffic patterns, and open ports.

Aircrack-ng

Aircrack-ng is a suite of tools designed mainly for monitoring, attacking, and cracking 802.11 wireless networks. It sniffs packets and captures hashes, collecting insights needed to crack WEP and WPA/WPA2 pre-shared key (PSK) passwords. This in turn lets you know how easily attackers can decrypt your network traffic and packets. 

Aircrack supports various attack techniques like deauthentication, packet injection, brute force, replay, and dictionary-based password cracking attacks. It comes pre-installed in Kali Linux and can be accessed by typing the following command in the terminal:

aircrack-ng --help

You'll then receive an output displaying various Aircrack-ng commands you can deploy for your vulnerability scans.

Figure 1: Vulnerability scanning with Aircrack-ng (Source: Medium)

How Aircrack-ng works 

You can use any of the tools within Aircrack-ng to conduct a wide range of scans. For instance, you can scan the network using airodump-ng to find suspicious activity or rogue access points.

Masscan 

Known for its remarkable speed and scalability, Masscan is a lightweight network security vulnerability scanner and reconnaissance tool. It’s ideal for scanning IP addresses, open ports, and other network components.

Figure 2: Sample Masscan vulnerability scan (Source: GitHub)

How Masscan works

You can use Masscan to detect rogue services, firewall outage/tampering, or misconfigured devices that could result in sensitive data exposure. 

For example, you can find misconfigurations by scanning your entire network (Hello, fast scans!), focusing on commonly exploited ports like 80, 22, and 443. Masscan then outputs a report showing all misconfigurations detected—e.g., open port 21 (showing that the unencrypted FTP is being used) or weak authentication and authorization in port 22 (creating potential for brute force attacks and remote code execution).

Application vulnerability scanners

Application scanners are automated tools that find insecure configurations, outdated libraries, and code vulnerabilities in software applications.

Arachni

Arachni is a modular web app vulnerability scanner and security testing tool designed to uncover code and input validation vulnerabilities like SQL injection, cross-site request forgery (CSRF), and file inclusion weaknesses.

Figure 3: How Arachni works (Source: Medium)

How Arachni works 

You can use Arachni to scan apps or websites with PINs or credit card numbers collected during transactions. First, you’ll need to set up Arachni on your servers and provide authentication credentials to enable it to crawl your website to identify user input fields for collecting sensitive customer data (e.g., login services, payment dashboards, and checkout processes).

Burp Suite CE

Burp Suite comprises a set of tools for identifying and exploiting web app vulnerabilities. It has an advanced crawler for identifying input fields, forms, and links. Its Interception proxy enables the detection of proxy-based attacks like CSRF and its Intruder tool allows for pen testing via parameter manipulation and brute force attacks. 

Figure 4: Burp Suite dashboard (Source: Medium)

How Burp Suite works

Burp Suite works like a man-in-the-middle, intercepting packets moving from client to server and analyzing them for security vulnerabilities. To get started, install Burp Suite CE and add 127.0.0.1:8080 to your browser. Then, navigate the target website as a typical user or threat actor would, enabling Burp Suite to capture HTTP requests and responses to detect malicious packets or inputs. You can also test for password vulnerabilities by using Intruder to perform brute-force scans against login pages.

Container vulnerability scanners

Container vulnerability scanners check for security gaps and misconfigurations that attackers can exploit in containers.

Clair

Clair is a scanner that conducts static vulnerability analysis of containers and container images. It’s often deployed to work with built-in container vulnerability scanners available in common container registries like AWS, ECR, and Quay. 

How Clair works

Clair works by continuously importing CVE data from pre-configured databases like the National Vulnerability Database (NVD). To use Clair, create a docker-compose file containing a Clair container (for the API) and a PostgreSQL container (for CVE data storage). 

2. Anchore Engine

Anchore Engine is a command-line vulnerability scanner for detecting security weaknesses and compliance issues in containers within CI pipelines.

Figure 5: The Anchore Engine product page (Source: Anchore Engine)

How Anchore Engine works

Anchore Engine works by first fetching a container image from a pre-configured registry, then generating a software bill of materials (SBOM), indexing all components of the image. Afterwards, it compares the indexed components—e.g., software packages—to a vulnerability database, correlating the software risks with known vulnerabilities.

Code vulnerability scanners

Code vulnerability scanners are designed to identify potential vulnerabilities in source code and binary files throughout the software development lifecycle.

1.KICS

Keeping Infrastructure as Code Secure (KICS) is an infrastructure as code (IaC) security scanner for detecting vulnerabilities in IaC tools—like Terraform, Docker, Ansible—before code is shipped.

Figure 6: KICS logo (Source: KICS)

How KICS works 

KICS comes with robust built-in and customizable policy templates that enable it to scan IaC files for misconfigurations, vulnerabilities, and compliance violations. It covers a wide range of compliance standards, such as GDPR, PCI DSS, and HIPAA, and enforces security best practices. KICS parses IaC files, extracts relevant metadata, and matches the data against the CIS’s library of built-in custom rules.

2. Gitleaks

Gitleaks is a code scanner for identifying hard-coded secrets, such as passwords, private keys, API keys, and tokens in code repos before they are exploited by attackers.

Figure 7: Gitleaks code scanning (Source: Gitleaks)

How Gitleaks works

Gitleaks can scan code before or after it is committed to Git. If you’ve written some code and need to be sure it contains no secrets or vulnerabilities before pushing it to Git, you’d run the following command:

gitleaks protect . 

This will trigger Gitleaks to run a regex scan on the code file, comparing patterns within your code to a set of predefined patterns for detecting common secrets. You can also configure Gitleaks to automatically scan your code or repos for secrets every time code changes are made. Once it finds a matching pattern, Gitleaks alerts you, pinpointing the problematic part of the code. 

Endpoint vulnerability scanners

Endpoint vulnerability scanners detect software, OS, and configuration weaknesses on endpoint devices such as desktops, mobile devices, and servers.

1.Lynis

Lynis is a lightweight endpoint security auditing tool for Unix-based systems. It can be used to run continuous or scheduled scans to facilitate ongoing security posture management. 

Figure 8: Installing Lynis (Source: Lynis)

How Lynis works 

Lynis assesses endpoints for system/network configuration, file permission, and authentication settings issues. To get Lynis to assess your endpoints for security risks, install it through the source code or package manager. Then run the audit command to scan your device remotely, locally, or to a Docker container. 

2. OSSEC

OSSEC is a host-based intrusion detection system (HIDS) for monitoring and auditing endpoints. OSSEC detects endpoint security risks like suspicious activities, rootkits, malware, unauthorized access, and policy violations. 

Figure 9: OSSEC issues page (Source: OSSEC)

How OSSEC works

OSSEC works via agentless and agent-based deployments. It collects data from operating systems, servers, firewalls, routers, and intrusion prevention systems (IPS). It then uses predefined rules and detection signatures to detect known vulnerabilities, attack patterns, and policy violations in endpoint devices.

Vulnerability management with Wiz

Wiz’s agentless vulnerability management solution offers the full range of capabilities needed to manage vulnerabilities throughout their lifecycle—from discovery to prioritization, auto-remediation, and continuous monitoring. Better yet? Our vulnerability management offerings are integrated into the Wiz cloud-native application protection platform (CNAPP), enabling us to provide unmatched contextual insights on vulnerabilities and their root causes. 

As a leader in vulnerability research; we’ve debuted our own vulnerability database and have earned our badge as a CVE Numbering Authority. Insights from the research conducted by our team is used to further enrich the data available to our vulnerability management solution, vastly increasing its vulnerability detection accuracy. And our recent Red Hat Vulnerability Scanner certification further demonstrates Wiz’s unparalleled ability to protect your entire IT stack from threats and vulnerabilities. 

Want to see Wiz in action? Request a demo today. 

Uncover Vulnerabilities Across Your Clouds and Workloads

Learn why CISOs at the fastest growing companies choose Wiz to secure their cloud environments.

Get a demo 

Continue reading

Unpacking Data Security Policies

Wiz Experts Team

A data security policy is a document outlining an organization's guidelines, rules, and standards for managing and protecting sensitive data assets.

What is Data Risk Management?

Wiz Experts Team

Data risk management involves detecting, assessing, and remediating critical risks associated with data. We're talking about risks like exposure, misconfigurations, leakage, and a general lack of visibility.

8 Essential Cloud Governance Best Practices

Wiz Experts Team

Cloud governance best practices are guidelines and strategies designed to effectively manage and optimize cloud resources, ensure security, and align cloud operations with business objectives. In this post, we'll the discuss the essential best practices that every organization should consider.

What is Data Detection and Response?

Data detection and response (DDR) is a cybersecurity solution that uses real-time data monitoring, analysis, and automated response to protect sensitive data from sophisticated attacks that traditional security measures might miss, such as insider threats, advanced persistent threats (APTs), and supply chain attacks.