This post was originally published here by cliff turner.
Constant security scans can be headache, and finding the best tool for the job can be even more of a nightmare. There’s plenty of conflicting information circulating about what will be best for your business. Should you get an agent-based scanning tool, or rely on appliance-based vulnerability scanning? What products are lightweight enough to blend into the DevOps cycle, and not slow down innovation? What products will you keep you in compliance consistently, and eliminate manual scans?
Well if you want your scans to seamlessly integrate into your production cycle, then I would say agent-based scanning would be the best option for you. In fact, I’m so convinced it’s the best option that I’ve outlined 14 key reasons why there’s no contest between agent-based scanning and appliance-based vulnerability scanning.
Check them out below, and see if you agree.
- With agent-based scanning, there’s no limit to the number of hosts scanned – you can scan your entire enterprise at the same time.
- There are no network requirements and no firewall changes with agent-based scanning.
- No scanning windows are required – for example with CloudPassage Halo, scans are lightweight and have no network impact.
- Scans can be initiated by API, manually, and automatically; meaning environments can be automatically scanned at boot, after every change, and continuously.
- There are no IP requirements. In dynamic environments like public cloud there is no concern for missed servers due to IP changes. You’re not affected by duplicate IP addresses or NAT usage.
- Licensing is by workload, not by IP. Consequently there’s reduced cost for scanning multiple IPs on the same network.
- No appliances are required. Agent-based scanning is quick to deploy and simple to manage.
- No user credentials are required, so all workloads can be scanned, even servers you can’t log into.
- Installing an agent is seriously simple. There’s no agent configuration and you can use existing install tools.
- Agent-based scanning integrates into the DevOps cycle. Therefore the API can be used for the full lifecycle- boot to termination, and configuration.
- There’s less traffic crossing firewall boundaries which reduces your overall network overhead.
- Agents secure by default, meaning all data that is at rest and in transit is encrypted.
- There’s no inbound network access, so your network attack surface is not increased.
- You won’t see an impact on your cloud provider network, so don’t have to ask CSP permission to scan.