Limits of a vulnerability scan
Whilst there is no question that regular vulnerability assessments are beneficial to a company or organisation, these are non-invasive tests. As such, they do not provide an overall picture of your security posture, but rather show whether you are vulnerable to threats known (and publicly available) at the time of the test. They do not often take a great deal of time to run and are great if a business is pushed for resources.
First of all, you need to ensure that the vulnerability scanning software you choose to run is up-to-date with the latest information. An outdated vulnerability scanner will provide very little benefit. More importantly, certain methods used by hackers won’t show up as a ‘known vulnerability’ inherent in software coding, or due to obvious misconfigurations. Cross Site Scripting (XSS) vulnerabilities, for example, won’t always show up on a vulnerability scan, even if they are present. Scanning tools may determine that the area scanned has adequate protection, but hackers actively work to subvert protection.
They’ll also provide you with little insight as to what harm a hacker could do from an authenticated perspective. That is, a hacker who has managed to compromise user credentials or is using a service for which they have a valid account. Whilst certain scans can be run as an authenticated user (and subsequently find more faults), they won’t be able to test for say, privilege escalation attacks (which can take a number of creative routes) or attempt password spraying.