external vulnerability scanning

Overview

Vulnerability scanning uses software to attempt to connect to hosts in the specified range of ports. When the scanner detects that the port is open, it will try to identify if the software opening the port on the server is vulnerable to a list of known vulnerabilities. If the system proves to be vulnerable, it is added to the report.

The information from a vulnerability scan can be used to either attack the system using known weaknesses or to create a list of vulnerabilities to be addressed.

Why are they asking this?

They want your organization to be scanning your external systems so that vulnerabilities are discovered and addressed by you before they can be exploited.

What do they expect?

It is expected that external vulnerability scanning is included in your security plans. You may include it in the vulnerability management plan or other policies.

Does your company utilize a vulnerability scanning tool to identify vulnerabilities on external and/or internal hosts?
Does your organization ensure that internal and external vulnerability scans are performed at least quarterly?
How frequently do you perform vulnerability scans for internal and external facing networks? Which tool is used to perform these scans?
Do you have an external third-party perform quarterly vulnerability scans and penetration tests on your applications and annual tests of your networks?
Do you have external third party services conduct vulnerability scans and periodic penetration tests on your applications and networks?