Frequently Asked Questions

An Answer For Each Question



 

Q: Why multiple security scanners instead of one?

Because in security there is no silver bullet. There isn't a single approach that suffices to identify and eliminate all vulnerabilities. Even one leader in Gartner's Magic Quadrant 2016 for Application Security Testing said so:

Furthermore some security scanners are specialized and requires a special attention in some topics, for example Nmap, a scanner specialized only in port scanning. It is better than any other scanner when it comes to this topic.

We believe that combining approaches and scanners are the way to go. Gauntlet takes advantage of big and small scanners to augment its platform and offer you the possibility to orchestrate them all, thus increasing the probability of finding more bugs.

Q: What scanners do you support?

Please check the complete list here.

We support many open source and commercial scanners, and you can bring your own scanner or ask us to add another scanner, even commercial ones, as long as you have the license. Learn more about how to bring your own scanner.

Q: What are the risks of running a scan in production?

There are few risks that one must be aware before running a scan. They include possible downtime and automated form submission with useless data.

Regarding possible downtime, you have the ability to:

  • Regulate the scan speed
    • Even if the scanner doesn't support such feature, you can do it globaly using Gauntlet speed control mechanism. We recommend using the "slow" speed for business hours;
  • Select fewer scanners
    • Running fewer scanners at a time reduce the server load;
  • Pause scanners at any time
    • You can stop scanners individually or the entire scan at once;
  • Set the max execution time for a scan
    • Prior the scan start, you can define for how long it could run. After that the scan will stop as if a user had stopped it manually.

Regarding automated form submission there's not much you can do, except adding a Captcha to prevent automated submissions.

Q: Can I test an application not exposed to the internet?

Yes. Gauntlet provides you two options: 1) test using a secure tunnel: securely expose your application only for us to test using an encrypted tunnel. More details here and 2) use our Virtual Scan Appliance (VSA): a scanner server hosted behind your firewall that uploads the findings to our platform.


Didn't find your question?

Drop us an email at contact@gauntlet.io