VULN-06

Are your systems and applications regularly scanned externally for vulnerabilities?

Explanation

This question asks whether your organization conducts regular external vulnerability scans on your systems and applications. External vulnerability scanning involves using automated tools to examine your internet-facing assets (websites, servers, cloud resources, etc.) from outside your network to identify security weaknesses that could be exploited by attackers. Why it's being asked: 1. External scanning provides visibility into what potential attackers can see and potentially exploit 2. Regular scanning helps identify new vulnerabilities as they emerge 3. It demonstrates a proactive security posture 4. Many compliance frameworks (PCI DSS, SOC 2, ISO 27001, etc.) require regular vulnerability scanning The assessor wants to know: - If you conduct external scans at all - How frequently these scans occur - What tools you use - How you manage the findings A good answer should address the frequency of scans (quarterly is common, monthly is better), mention the scanning tools used, describe the process for reviewing and remediating findings, and note any third-party involvement in the scanning process. If you use a reputable third party for scanning, this can add credibility to your security program.

Example Responses

Example Response 1

Yes, we conduct external vulnerability scans on all internet-facing systems and applications monthly using Qualys Vulnerability Management Our security team reviews all findings within 48 hours of scan completion Critical and high vulnerabilities are remediated within 14 days, medium vulnerabilities within 30 days, and low vulnerabilities within 90 days Additionally, we engage a third-party security firm to perform quarterly penetration tests that include external vulnerability scanning to provide an independent assessment All scanning results and remediation activities are documented in our vulnerability management system and reported to senior management quarterly.

Example Response 2

Yes, our organization performs external vulnerability scans bi-weekly using Tenable.io We have configured automated scanning for all our public-facing assets including our web applications, APIs, and cloud infrastructure The security operations team receives real-time alerts for critical findings and reviews all scan results within 24 hours We follow a risk-based approach to remediation with SLAs of 7 days for critical, 14 days for high, 30 days for medium, and 60 days for low-severity vulnerabilities We also conduct ad-hoc scans after significant infrastructure changes or when new vulnerabilities are publicly disclosed that could affect our systems.

Example Response 3

No, we currently do not perform regular external vulnerability scans on our systems and applications We rely on our firewall's built-in threat detection capabilities and periodic manual security reviews by our IT team We recognize this is a gap in our security program and are in the process of evaluating vulnerability scanning solutions with the goal of implementing quarterly external scans within the next six months In the interim, we have engaged a security consultant to perform a one-time comprehensive external vulnerability assessment to identify any critical issues requiring immediate attention.

Context

Tab
Infrastructure
Category
Vulnerability Management

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron