Cloud scanners are becoming more common these days. Pricing is a lot cheaper tha

Question

Cloud scanners are becoming more common these days. Pricing is a lot cheaper than on premise scanners. My concern with cloud scanners is that they store sensitive information on 3rd party network. (I am not sure if the sensitive information only include scan result). Is there any other information cloud scanner may store besides scan result? I know when I was taking cyber law and compliance classes, I remember some of them(HIPPA, SOX, PCI) required different set of rules for transferring personal information to another site. Should I be concerned with this when using Cloud web application scanner whether it is SAST or DAST? What are you experiences and thoughts on cloud scanners vs on premise ones?

Explanation / Answer

I have used both. You will get different results with a cloud based scanner versus an on premise scanner.

Typically an on premise scanner would perform authenticated scans against your assets with no port restrictions, or hindrance from other security devices. This gives you a true snapshot of system vulnerabilities.

Cloud based scanners typically scan your externally facing assets, unauthenticated and must traverse the same infrastructure an attacker would. (IPS, WAF, firewall, etc) This gives you an idea of what an attacker would see.

They both paint a different picture of your network and are typically used in tandem, not in lieu of.

Now, with that being said, maybe you are allowing a cloud based scanner unadulterated access to your internal network which I personally would advise against.

Related Questions

Navigate

• Browse (All)
• Browse C
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.