What are vulnerability scans?
Vulnerability scans are scans that execute (typically across a network in a request->response pattern) that check for and detect remotely-exploitable vulnerabilities within systems.
It is this type of scanning, often termed "DAST" (Dynamic Application Security Testing), that AppCheck performs.
What are compliance scans or secure configuration assessments and how do they differ from vulnerability scans?
A compliance check scans a given target but returns results based on whether (and to what extent) the target is compliant based on a set of defined requirements or standards selected for the scan, rather than on vulnerabilities per se. Items found and reported via compliance scans may represent a failure to meet a company policy requirement or defined industry body or standards organisation set of best practices, not necessarily represent an exploitable security vulnerability.
This type of scanning is intended to let system administrators or operators see how their systems are configured and whether they are compliant with their company's defined and/or adopted standards. It typically requires configuration that permits the scanning tool to log into servers in order to discover configurations and whether they align with defined standards.
Some examples of the types of items reported via policy compliance scanning may include:
- Has a password policy has been set (i.e. at least 8 chars, maximum age of 90 days, etc.) on the
- Is logging turned on for the webserver and set to log to a remote system?
What standards are there?
Policy Compliance Scanning can be used to assess compliance with company internal standards, as well as best-practice standards such as the NIST Special Publication series, industry-mandated standards such as PCI DSS, HIPAA and HITRUST, or open standards such as CIS Benchmarks.
Can I use AppCheck to perform these "compliance scans"?
AppCheck does not offer general-purpose policy compliance scanning at this time, however it can be used as a tool in support of compliance scanning
To see more details on PCI DSS ASV scanning specifically, using AppCheck, see our separate FAQ article at https://appcheck.zendesk.com/hc/en-us/articles/360015425958-Is-AppCheck-an-Approved-Scanning-Vendor-ASV-under-the-PCI-DSS-scheme-and-can-AppCheck-produce-ASV-reports- for more detail.
If you believe that the expansion of scan coverage to policy compliance scanning by AppCheck is a priority feature for you, please contact your account manager to make a potential future feature request for development of this functionality.