Scan based findings are related to a particular scan. It cannot tell you whether a vulnerability which existed earlier was fixed or not. It will just tell you the current data i.e. how many vulnerabilities are present right now. So boring right ?? .. Just kidding !!
Host based findings have the ability to tell you whether a vulnerability which existed earlier was fixed or not. Reason: It corelates with past scan data and hence the ability. It can also gives you vulnerability trends related information. Sounds cool right !! .. Now let's see what problems this correlation with past data can create.
Imagine if you run an authenticated scan. But after some time(days or months) when you try to rerun the same scan, the source of the raw scan fails to authenticate. Since the scanner is unable to authenticate, it considers the authenticated findings(data gathered from previous scan) to be active until it is able to prove that they are closed. Imagine the consequence now, when the device was originally a Windows server, but then that IP became a printer. The printer would have Adobe Flash/MS Office/etc. vulnerabilities until you purged the asset. You see, everything comes at a price. This is just one example, there are many scenarios where this could cause troubles.
Hence, Qualys introduced the option "auto purge when OS changes". Prior to this option you had to purge the scan data related to that asset manually. Please keep in mind that Scan and Host based findings are not the options presented when you configure a scan, instead these are reporting options.
Happy Learning !!
No comments:
Post a Comment