When setting up your Scanning & Compliance services, each component in your external facing (public facing) infrastructure should be applied as a scan target. This is likely to include firewalls, routers, servers, websites, and any other devices with an internet-routable public IP address. These components are generally considered to be the most at risk for attack.
Our scanning services break down into 3 parts:
- IP Scanning (also known as network scanning): This static network layer assessment is the base level service applied to all targets in our system. The IP scan will identify the asset and its activities on your network. After this scan's information gathering process is complete a security assessment is performed.
- Website Scanning (also known as web application scanning): This dynamic application security test will be performed against your website. This scan will be actively testing for the OWASP top 10 and other web application specific issues. For more information on Website Scanning, please click here.
- PCI (or PCI Compliance scanning): When this service is applied to a scan target in our system the target is placed "in scope" for PCI. This verifies that the scan target is a part of your cardholder data environment (CDE). A PCI specific scan policy will automatically be applied to the scan target on our backend, expanding the port discovery process and adjusting vulnerability reporting. All PCI scan targets will be considered when generating attestation of scan compliance reports.
The website scanning and PCI services are add ons to each scan target in your account. This allows flexibility in provisioning and a tailored scan configuration for each component in your environment.
Adding Your Scan Targets
Our system will allow a scan target to be applied by IP address or domain name.
If applying a network component as a scan target, that is not a website, the IP address can be targeted.
If you are targeting a website, we recommend applying the scan target by domain name and applying the Website Scanning service. The scanner will automatically locate the IP address during IP scanning. After IP scanning is complete, the Website Scan will launch against the website itself.