I ran it against a few servers I'm responsible for. I'm not impressed.
I got a large number of reports for a Debian system running Apache. These were all old vulnerabilities where fixes were backported to Debian's packages, so these are false positives. Also got a warning for another server about the recent XMSS issue in OpenSSH, which is code that is disabled by default (and disabled on the scanned server).
It seems all this tool does is some kind of version matching (i.e. "a CVE has been reported for version x.y.z of software A, so a server running x.y.z is vulnerable"). This is a poor proxy for the actual existence of a vulnerability. It's not a "vulnerability scanner" in a sense that it actually tests for the presence of a vulnerability.
(Full disclosure: Just copied over my comment I posted on reddit earlier today)
This has been my experience with similar tools (mostly openvas / greenbone) and companies peddling vulnerability tests for compliance purposes. There doesn't seem to be a lot of "functional scanning" in this space, like you're talking about.
So I agree the false positives are a pain in networks with patched systems but this also seems to be standard behavior.
Similar experience. Many scanners seem to be designed around showing 'value' to management vs real value for engineering and security teams. Another example is Blackduck. Its slow, noisy, has tons of FPs (which you cannot globally ignore), etc. It ends up being a tool users fight against instead of work with.
Another caveat -- scanners usually do not account for the current v vulnerable configuration. So while they may flag a vulnerability, its often a potential vulnerability. Its a mixed bag -- at scan time the system may be secure, but a future change may result in a vulnerable system. Unless you're religious about scanning after each build/config change; this could bite you as well. It would be nice to know these minutiae without digging into each CVE report.
But what else would you propose? Only thing you could do which would be more accurate is to try to exploit all the issues it found, which isn't really practical, because POCs are not always available and if they are, you would have to build some kind of database with all of them. Maybe it could be combined with Metasploit...
I think I'd prefer a tool that identifies points of interest for my team to investigate rather than one that actually tries to execute a hack against my servers, introducing possible instability.
> It seems all this tool does is some kind of version matching (i.e. "a CVE has been reported for version x.y.z of software A, so a server running x.y.z is vulnerable"). This is a poor proxy for the actual existence of a vulnerability
It sounds as though it's illustrative of a problem with either the index the scanner software is referring to or the update methodology the distro relies on. Debian don't really fix the software without incrementing the version number in some fashion, do they?
Remember: This is a 50 line Python script that is a wrapper for nmap + vulners NSE script.
It's not a product, but some simple automation around existing tooling. Better than paying $$$ for a full fledged scanner? Maybe, but depends on your use case.
Flan Scan is a thin wrapper around Nmap that converts this popular open source tool into a vulnerability scanner with the added benefit of easy deployment.
Vulners.com isn't a free service, are there other cheaper alternatives (perhaps less comprehensive) that maintain database of vulnerabilities?
Interestingly, the very impressive infosec people behind Vulners are employed (?) by QIWI, a Russian payments company. That isn't an issue now that you publicly claim to use their service, but were there any reservations raised by legal or otherwise?
How much in relative terms were the cost savings when Cloudflare did switch to in-house audits via Flan Scan given the requirements / development / operational / maintenance effort expended + licensing service from Vulners?
Does Flan Scan also scan network equipment (like switches, routers etc)?
Given the complex heterogeneous nature of the global Cloudflare network, what did the deployment process look like? Will there a follow-up blog post on how that was automated/accomplished?
What are the other big cloud / CDN providers doing to scan for vulns / compliance at scale if you're privy to it? Have any of them shown interest in contributing to and/or using Flan Scan?
What does the short-term and long-term roadmap for Flan Scan look like?
That LaTeX report output is hot. It'd be cool if the bar could be raised for scanners like this, which mostly just try to get services to respond with a version number.
It is always funny seeing how less than a hundred lines of code can replace six or seven digits in licensing, negotiation, lawyering, and time.
Cool project. I'd be interested in using the scan data to automate workflows. Is Cloudflare hooking this into some security automation engine to make the data actionable?
The article essentially reads as "we payed lots of monies for a mediocre scanner, and then we discovered that the FOSS nmap did everything we needed. So we took nmap and added a little bit of extra, a web interface, and gave it the name Flan Scanner."
[+] [-] hannob|6 years ago|reply
I got a large number of reports for a Debian system running Apache. These were all old vulnerabilities where fixes were backported to Debian's packages, so these are false positives. Also got a warning for another server about the recent XMSS issue in OpenSSH, which is code that is disabled by default (and disabled on the scanned server).
It seems all this tool does is some kind of version matching (i.e. "a CVE has been reported for version x.y.z of software A, so a server running x.y.z is vulnerable"). This is a poor proxy for the actual existence of a vulnerability. It's not a "vulnerability scanner" in a sense that it actually tests for the presence of a vulnerability.
(Full disclosure: Just copied over my comment I posted on reddit earlier today)
[+] [-] thaumaturgy|6 years ago|reply
So I agree the false positives are a pain in networks with patched systems but this also seems to be standard behavior.
[+] [-] gwittel|6 years ago|reply
Another caveat -- scanners usually do not account for the current v vulnerable configuration. So while they may flag a vulnerability, its often a potential vulnerability. Its a mixed bag -- at scan time the system may be secure, but a future change may result in a vulnerable system. Unless you're religious about scanning after each build/config change; this could bite you as well. It would be nice to know these minutiae without digging into each CVE report.
[+] [-] Hitton|6 years ago|reply
[+] [-] cabaalis|6 years ago|reply
[+] [-] justin66|6 years ago|reply
It sounds as though it's illustrative of a problem with either the index the scanner software is referring to or the update methodology the distro relies on. Debian don't really fix the software without incrementing the version number in some fashion, do they?
[+] [-] bloblaw|6 years ago|reply
It's not a product, but some simple automation around existing tooling. Better than paying $$$ for a full fledged scanner? Maybe, but depends on your use case.
[+] [-] peterwwillis|6 years ago|reply
[deleted]
[+] [-] 0xmohit|6 years ago|reply
[+] [-] ejcx|6 years ago|reply
[+] [-] ignoramous|6 years ago|reply
Interestingly, the very impressive infosec people behind Vulners are employed (?) by QIWI, a Russian payments company. That isn't an issue now that you publicly claim to use their service, but were there any reservations raised by legal or otherwise?
How much in relative terms were the cost savings when Cloudflare did switch to in-house audits via Flan Scan given the requirements / development / operational / maintenance effort expended + licensing service from Vulners?
Does Flan Scan also scan network equipment (like switches, routers etc)?
Given the complex heterogeneous nature of the global Cloudflare network, what did the deployment process look like? Will there a follow-up blog post on how that was automated/accomplished?
What are the other big cloud / CDN providers doing to scan for vulns / compliance at scale if you're privy to it? Have any of them shown interest in contributing to and/or using Flan Scan?
What does the short-term and long-term roadmap for Flan Scan look like?
Why "Flan Scan"? :)
Thanks a lot.
[+] [-] internobody|6 years ago|reply
[+] [-] ejcx|6 years ago|reply
I’ve managed Nessus in a past life and it was a nightmare.
[+] [-] microcolonel|6 years ago|reply
It is always funny seeing how less than a hundred lines of code can replace six or seven digits in licensing, negotiation, lawyering, and time.
[+] [-] humtum|6 years ago|reply
[+] [-] _ytji|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] trhaynes|6 years ago|reply
[+] [-] derpherpsson|6 years ago|reply
. . .
The corporate world is so facepalm sometimes
[+] [-] dewey|6 years ago|reply
Sometimes that's the difference between people using it not using it. The classic rsync and a bunch of scripts vs. Dropbox HN comment.
[+] [-] jgrahamc|6 years ago|reply