Vulnerability scanning with PAM in zero trust environments

Never trust, always check – that’s the zero trust motto. Enterprises and government agencies alike are rushing to implement at least some zero trust technologies, notably privileged access management (PAM), but this may have a knock-on effect on application security testing. Learn how modern AppSec solutions integrate with PAM platforms to ensure accurate testing even in locked-down environments.

Vulnerability scanning with PAM in zero trust environments

The drive towards zero trust

As defined by the National Institute of Standards and Technology (NIST), zero trust architecture (ZTA) is “an enterprise’s cybersecurity plan that uses zero trust concepts and encompasses component relationships, workflow planning, and access policies.” In plain language, ZTA requires organizations to treat every component, user, and operation in their information systems as potentially malicious and explicitly check for access authorization at every level. Any access that is granted should then follow the principle of minimum necessary privileges.

While redesigning existing systems to completely follow ZTA is usually impractical, some zero trust principles are seeing widespread adoption as part of a wider drive towards locking down access and tightening security. Among these is privileged access management (PAM), which focuses on centralized control over access to critical functionality and data. PAM solutions allow organizations to manage and monitor user accounts with elevated privileges, such as administrator accounts – always the most attractive targets for cyberattackers.

With the massive increase in data breaches and cybercrime overall, locking down access to privileged resources is a must for businesses and government organizations alike. As in so many other areas, the accelerated move to cloud-based solutions and remote work during the pandemic has brought renewed urgency to this requirement. What’s more, in the wake of Executive Order 14028 and the related publication of the CISA Zero Trust Maturity Model, many federal agencies will now need to quickly add PAM or similar solutions to their cybersecurity improvement programs.

How privileged access management improves security

The idea behind privileged access management is to centrally control, manage, and monitor privileged users and resources. Typical PAM features include password vaulting, session logging and tracking, two-factor authentication, and automated provisioning and de-provisioning. This helps to reduce common security risks associated with weak or compromised credentials and credential stuffing while also limiting such threats as rogue former employees or contractors.

Consistent access logging and monitoring is also crucial, as most system breaches result not from sudden and dramatic attacks but from stealthy and persistent infiltration. PAM solutions can provide an additional layer of security by monitoring privileged access attempts and warning the security team of any suspicious activity. Combined with reporting functionality, this can help organizations maintain a comprehensive audit trail to meet internal and external compliance requirements.

Authenticated vulnerability scanning in a PAM environment

While zero trust technologies such as privileged access management are a major leap forward in terms of securing access to systems and data, they can be difficult to set up and combine with existing authentication and authorization workflows. This can have serious consequences for application security testing, where automatic authentication by vulnerability scanners is a vital requirement to ensure full coverage. Authenticating automatically and reliably across all the popular methods used in modern web applications is hard enough, but when you replace the entire authentication mechanism with PAM, things get really tough.

As we have written before, authenticated vulnerability scanning is extremely important yet also technically challenging. Less advanced dynamic application security testing (DAST) products can struggle with authentication, leading them to skip restricted site sections and leave unchecked vulnerabilities in your environment. Such limitations might also require risky workarounds, such as only scanning in test environments with authentication disabled. This is especially dangerous considering that pages requiring authentication are precisely the ones that attackers are most likely to target in production.

It seems ironic that as organizations implement PAM to lock down their privileged accounts and prevent access by malicious actors, they also risk making their applications less secure by making them harder to scan for vulnerabilities. On the face of it, this seems like yet another security tradeoff – but if you can find an AppSec solution that supports PAM, you don’t have to compromise. With the right PAM integrations, a modern vulnerability scanner can still reliably access and test your websites and applications both in internal and production environments.

Integration with HashiCorp Vault and CyberArk EPV

HashiCorp and CyberArk are among the pioneers and leaders in the privileged access management space. To help enterprises and government agencies run accurate vulnerability scans in PAM environments that use HashiCorp Vault or CyberArk EPV, Invicti integrates with these platforms out-of-the-box. This lets you set up reliable scanning with a minimum of hassle and without resorting to fragile workarounds to get a scanner to work with PAM.

PAM integrations are only one part of Invicti’s rich integration capabilities. At Invicti, we know that automation is the only practical way to do AppSec at scale, so Invicti comes with a wide array of integrations with popular issue trackers, CI/CD systems, collaboration platforms, SSO schemes, PAM tools, and more. It also has a rich internal API for customizing existing integrations or building your own if required.

To set up integration with HashiCorp or CyberArk PAM, simply specify your vault settings in the Invicti user interface, test the connection, and you are ready to scan. For detailed instructions, see our support pages about integrating Invicti with HashiCorp Vault and CyberArk EPV.

Privileged access management without application security tradeoffs

Integration is the only realistic and efficient way to move towards zero trust without losing sight of the wider security picture. When you implement privileged access management to restrict resource access, you need to be careful not to lock out other components of your cybersecurity program. For application security testing in particular, a vulnerability scanning solution that seamlessly integrates with your PAM platform will help you maintain maximum test coverage at scale even as you lock down access to your critical systems and data.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.