credentialed scanning

Joe Haigh

min read

What is credentialed scanning?

Credentialed scanning (also known as authenticated scanning) is a type of external vulnerability scan that tests the security of applications from the perspective of a logged in user.

It is performed using a Dynamic Application Security Testing (DAST) tool, which tests an application while it is running to identify vulnerabilities in real-time.

‍

Why is credentialed scanning important?

Enhanced coverage: Credentialed application vulnerability scans uncover issues that infrastructure scans can’t, providing you with a broader and more thorough evaluation.
Find critical issues: When a user is logged in, they typically have access to more sensitive functions. Therefore credentialed scans can find vulnerabilities that are likely to pose a higher risk.
Minimize your attack surface: Credentialed scanning gives you visibility of the attack surface hidden behind a login, so you can take action to reduce it.

What’s the difference between credentialed vs uncredentialed scans?

Unlike credentialed scans that test the security of an app from a logged in perspective, uncredentialed scans use the app's public interface and information from web servers and networks to find weaknesses.

‍

When to perform credentialed scanning

Web application vulnerabilities are one of the most popular attack vectors. So testing apps from different attacker perspectives has become essential.

Credentialed vulnerability scanning is particularly important if any of the following apply to your application:

Your app permits anyone on the internet to sign up
Your app involves substantial user interaction and customization
Your app houses sensitive or regulated data
Your organization must comply with rigorous security standards or compliance requirements

‍

Frequency of credentialed vulnerability scanning

Vulnerability scans are often performed quarterly, but this only gives you a point-in-time snapshot of your vulnerability status, and doesn’t provide you with ongoing visibility.

Both credentialed and uncredentialed scanning should be continuous to provide 24/7 monitoring of your IT environment and help you keep your time-to-fix as low as possible.

‍

Get started with Intruder

A vulnerability scanner like Intruder makes it easy to perform credentialed scanning for web apps and APIs on a regular basis. Intruder integrates with your CI/CD pipeline, automates security compliance, provides easy-to-understand remediation advice, and much more. Give it a try with a 14 day free trial.

‍