Are your systems and applications scanned with an authenticated user account for vulnerabilities (that are remediated) prior to new releases?
Explanation
Pre-release vulnerability testing is what's being verified: whether you scan systems and applications using an authenticated account and remediate findings before shipping new releases.
Authenticated vulnerability scanning means the scanning tool logs into the system being tested with actual user credentials (as opposed to unauthenticated scanning, which only tests from an external perspective). Authenticated scanning provides a more comprehensive view of vulnerabilities because it can detect issues that are only visible once logged in.
The question specifically asks if these scans are performed before new releases and if discovered vulnerabilities are remediated (fixed) before the release goes live.
This is important for security assessments because:
- Pre-release scanning helps identify security issues before they reach production environments
- Authenticated scanning finds more vulnerabilities than unauthenticated scanning
- The remediation component ensures identified issues are actually fixed
- This practice demonstrates a mature security program with security integrated into the development lifecycle
To best answer this question, you should:
- Clearly state whether you perform authenticated vulnerability scanning
- Explain your scanning process and tools used
- Describe how scanning fits into your release cycle
- Outline your remediation approach (especially for critical vulnerabilities)
- Mention any exceptions to your scanning policy
Example Responses
Example Response 1
Yes, we perform authenticated vulnerability scanning on all systems and applications prior to new releases Our DevSecOps pipeline includes mandatory authenticated scans using Tenable.io and OWASP ZAP with dedicated scanning accounts that have standard user permissions Critical and high vulnerabilities must be remediated before release approval, while medium vulnerabilities require remediation within 30 days post-release Low vulnerabilities are tracked but remediated based on resource availability Our Security team reviews all scan results, and our Change Advisory Board requires clean scan results (or approved exceptions with compensating controls) before authorizing production deployment We maintain scan reports for all releases for at least 12 months.
Example Response 2
Yes, our organization conducts authenticated vulnerability scanning as part of our release management process We use a combination of Qualys for infrastructure scanning and Veracode for application scanning, both configured with dedicated service accounts that have appropriate access levels Our CI/CD pipeline automatically triggers these scans during the QA phase, and our release policy mandates that all critical and high vulnerabilities must be remediated before proceeding to production Medium vulnerabilities require documented risk acceptance from the application owner and CISO if not addressed pre-release We also perform quarterly authenticated scans on production environments to ensure ongoing security posture All scan results are documented in our vulnerability management system and tracked to resolution.
Example Response 3
No, we currently do not perform authenticated vulnerability scanning prior to new releases Our security testing process primarily relies on unauthenticated scanning using Nessus, which we recognize provides limited visibility into potential vulnerabilities We are in the process of implementing a more comprehensive vulnerability management program that will include authenticated scanning capabilities Our roadmap includes deploying Rapid7 InsightVM within the next quarter and updating our release management procedures to require authenticated scans with remediation of critical findings before release approval In the interim, we mitigate this gap through manual security code reviews for critical applications and third-party penetration testing on an annual basis.
Context
- Tab
- Infrastructure
- Category
- Vulnerability Management
Related questions
- Will you provide results of application and system vulnerability scans to the institution?
- Will you allow the institution to perform its own vulnerability testing and/or scanning of your systems and/or application, provided that testing is performed at a mutually agreed upon time and date?
- Have your systems and applications had a third-party security assessment completed in the last year?
- Do you regularly scan for common web application security vulnerabilities (e.g., SQL injection, XSS, XSRF, etc.)?
- Are your systems and applications regularly scanned externally for vulnerabilities?

