Vulnerability scanning is the process of using an automated tool to shoot large numbers of payloads at a target (website or network) to see if they are vulnerable to publicly disclosed security problems. As new security problems are identified by researchers from around the world they are added the the list of tests the scanner will perform and as such the arms race between attackers and defenders evolves.  

If you've read my previous article "What is Pentesting?" you'll have seen I mention that most Pentesters will use vulnerability scanners as part of their tool kit so they can focus their attention on the areas of the target site or network that are most likely to need remediation.

The results of the scan will be combined with the results of manual investigation so that as many as possible of the issues present are included in the report. The objective of a Pentest is not necessarily to compromise the server or network, although this is often possible. The purpose of a Pentest is to identify and report as many as possible security issues that could be used by an attacker to gain their first foothold on their target. In many cases these issues are rated as being of low risk on their own. However, in my experience when it is possible to compromise a web server or gain unauthorized access to a network, it's as often from something considered to be low risk as it is a critical flaw which is much harder to find. It's fair to say the vast majority of attackers use automated means to find low level vulnerabilities and only really start paying attention when they have a foothold in the target. As such it makes sense to use automated means to find the vulns they use to gain that foothold and plug them as soon as possible. 

An example of an attack chain that is very effective but only uses low risk vulnerabilities could be as follows:

An attacker identifies the login page of their target website is vulnerable to user enumeration - This means that either to registration or password recovery page returns a message that confirms whether or not a user's email address is registered on that site e.g try to register or recover your password and receive a message saying "This user is already registered, please try another email address" or similar. The attacker can then run a huge list of email addresses against that function and identify a long list of users, possibly including sites administrators. 

They then identify the login page is vulnerable to Clickjacking - This is when the page can be loaded as an Iframe. This Iframe is then loaded over the attackers own login page and a similar domain name is used which looks very similar and in some cases indistinguishable from the real one. 

When this is set up correctly from the attacker perspective they can email a link to all the users they have enumerated and when those users go to log in they will be sending their login credentials to the attacker controlled site which will then forward them to the real site. The user won't notice any difference but they will have had their credentials compromised. In essence the legitimate login page has been turned into a phishing page using 1 low risk vulnerability and the attack has been completed with the use of 1 more low risk vulnerability, the user enumeration and a smattering of social engineering in the email.

I mention this to demonstrate a site can be compromised using only low risk vulnerabilities in combination. I've done tests for clients who take the view they only fix issues rated as medium and above as part of their appetite-for-risk and this has always worried me.

In financial services and other sensitive industries regulators require that a Pentest be done after any major change is made to a site or network. This is expensive and places a heavy burden on the network/site owner. In industries that are not so heavily regulated the same principle applies but the overhead in time and money isn't realistic, especially where changes are being made frequently or even daily. 

Vulnerability scanning can be used as a cost effective stop gap to check for low hanging fruit issues such as these whenever changes are made so that confidence can be maintained no issues have been introduced between Pentests. The only alternative is to have a tester on staff which is a great expense to bare.