Vulnerability Detection and Assessment (SP 800-40r4 / SP 800-53 RA-5)
Use automated vulnerability scanners (e.g., Nessus, Qualys, OpenVAS) for:
Network scanning (internal/external)
Web app scanning for Dynamic Application Security Testing (DAST)
Container and code repo scanning. There is also GitHub Dependabot
Automated vulnerability scanners for Static Application Security Testing (SAST) that include Rust programming language is cargo-audit. Semgrep and Checkmarx will require custom rulesets to scan Rust code.
Frequency:
Critical infrastructure: weekly
Internal systems: monthly
After significant changes: ad hoc
References:
SP 800-40r4 https://csrc.nist.gov/pubs/sp/800/40/r4/final
SP 800-53 RA-5 https://csf.tools/reference/nist-sp-800-53/r5/ra/ra-5/
PreviousThreat Intelligence Integration (CSF: ID.RA-2)NextRisk Analysis and Prioritisation (SP 800-30r1)
Last updated