CVE Detection FAQ

How does SecurityScorecard detect vulnerabilities?

SecurityScorecard scanning technology examines the digital footprint of an organization (in this case IP addresses) by assessing it for products and services that are exposed externally. This assessment will run a number of custom probes to identify products and services, this is a passive scan. We do not do intrusive scans to determine if a device or system is actually vulnerable. 

Vulnerabilities are determined through the products that are detected from an outside-in assessment by matching version data to a large and extensive vulnerability database of all known CVEs.

SecurityScorecard raises an issue type in the platform if we can confidently determine that the product that we observe is indeed impacted by that vulnerability. Other vendors will sometimes raise a CVE even if it isn’t a direct match, but detect based on general product class, we consider this Potential Vulnerability. We also do that as well for a large number of products that we can’t get information about 100% of the time, we raise a finding for potential vulnerabilities in the Application Security factor on any given Scorecard.

Further, not all products can be detected from outside-in scanning (i.e local software, libraries as part of bigger packages), and those that are detected may not surface sufficient information to confidently say its an impacted version.

How does SecurityScorecard detect 0-days?

We often encounter 0-day vulnerabilities where information is limited about a product or service that is impacted. From a detection point of view, if we can detect the product it either will surface as a vulnerability finding in Patching Cadence automatically or fall within the Potential Vulnerability issue type in Application Security. Either Way, this process is fairly automatic if the product is detectable. In cases where the product isn’t directly observable (in the case of Log4j where it wasn’t a product, rather a software library used by products), additional steps are taken to ensure coverage is available. The SLA for this is typically 24/48hrs to surface in the platform due to the additional work required. In these cases as described above we will research and identify additional ways to detect the presence of the product through various metadata we collect through scanning (http headers, titles, HTML code body, banners, etc). The end-result is a finding as a Potential Vulnerability, unless we can 100% determine the version externally through metadata. 

Vulnerability Intelligence (CVEDetails)

Further, SecurityScorecard has a new Vulnerability Intelligence module that will give all of the critical details about any new vulnerability. This module will also cover vulnerabilities for products and services that are not detectable from outside-in, future releases will allow you to upload your technology stack and be alerted when a new vulnerability for it is released. This new product will enable you to set up alerts to notify you of new vulnerabilities that emerge. Furthermore, you can access this module through the SecurityScorecard platform which will provide further details about the vulnerability. Below is an example of a vulnerability discovered on Allianz.com Scorecard.