This post was originally published here by cliff turner.
Constant security scans can be headache, and finding the best tool for the job can be even more of a nightmare. Thereās plenty of conflicting information circulating about what will be best for your business. Should you get an agent-based scanning tool, or rely on appliance-based vulnerability scanning? What products are lightweight enough to blend into the DevOps cycle, and not slow down innovation? What products will you keep you in compliance consistently, and eliminate manual scans?
Well if you want your scans to seamlessly integrate into your production cycle, then I would say agent-based scanning would be the best option for you. In fact, Iām so convinced itās the best option that Iāve outlined 14 key reasons why thereās no contest between agent-based scanning and appliance-based vulnerability scanning.
Check them out below, and see if you agree.
- With agent-based scanning, thereās no limit to the number of hosts scanned ā you can scan your entire enterprise at the same time.
- There are no network requirements and no firewall changes with agent-based scanning.
- No scanning windows are required ā for example with CloudPassage Halo, scans are lightweight and have no network impact.
- Scans can be initiated by API, manually, and automatically; meaning environments can be automatically scanned at boot, after every change, and continuously.
- There are no IP requirements. In dynamic environments like public cloud there is no concern for missed servers due to IP changes. Youāre not affected by duplicate IP addresses or NAT usage.
- Licensing is by workload, not by IP. Consequently thereās reduced cost for scanning multiple IPs on the same network.
- No appliances are required. Agent-based scanning is quick to deploy and simple to manage.
- No user credentials are required, so all workloads can be scanned, even servers you canāt log into.
- Installing an agent is seriously simple. Thereās no agent configuration and you can use existing install tools.
- Agent-based scanning integrates into the DevOps cycle. Therefore the API can be used for the full lifecycle- boot to termination, and configuration.
- Thereās less traffic crossing firewall boundaries which reduces your overall network overhead.
- Agents secure by default, meaning all data that is at rest and in transit is encrypted.
- Thereās no inbound network access, so your network attack surface is not increased.
- You wonāt see an impact on your cloud provider network, so donāt have to ask CSP permission to scan.