Trends in vulnerability scanning technology.

Rezilion today released a report, the “Vulnerability Scanner Benchmark,” detailing inaccuracies they’ve found across popular commercial and open-source scanning technologies.

Key findings.

Rezilion found that in using six different, popular vulnerability scanners, only 73% of relevant results were returned out of all vulnerabilities that should have been detected. Only 82% of the results were identified correctly and relevant. Across the examined 20 containers from DockerHub, over 450 high and critical-severity vulnerabilities were wrongly identified. On average, the scanners also missed more than 16 vulnerabilities per observed container.

“The primary problem is that the scanner performance data is not transparent and leaves end-users without visibility to accurately evaluate effectiveness of vulnerability scanners,” said Yotam Perkal, Director of Vulnerability Research with Rezilion. “With this research, we’re committed to driving the industry forward and proactively approaching the issue. Rezilion’s ultimate goal is to provide transparency about the performance of the scanners and improve the quality of vulnerability scanning across the board.”

Best practices.

Rezilion recommends ensuring that the scanner you choose matches your needs, and being aware of its capabilities and limits. They also advise that you don’t blindly follow the scanner’s results, as the report showed misidentification. Also recommended was utilizing a Software Bill of Materials (SBOM) to validate the results of the scanner and gain visibility.