The debut of open source vulnerability scanner has not been met with the fanfare Cloudflare would have liked
UPDATED Cloudflare has open-sourced a network vulnerability scanner it’s calling ‘Flan Scan’, but the move hasn’t been met with approval from all information security quarters.
On Thursday, the web infrastructure and security firm said the tool was originally developed in response to internal security compliance challenges.
“We created Flan Scan after two unsuccessful attempts at using ‘industry standard’ scanners for our compliance scans,” Cloudflare said.
“A little over a year ago, we were paying a big vendor for their scanner until we realized it was one of our highest security costs and many of its features were not relevant to our setup.”
Cloudflare added that it was not getting its “money’s worth” from existing scanners and so switched to an open source option in order to meet tight compliance deadlines.
“We needed a scanner that could accurately detect the services on our network and then lookup those services in a database of CVEs to find vulnerabilities relevant to our services,” Cloudflare says.
“Additionally, unlike other scanners we had tried, our tool had to be easy to deploy across our entire network.”
Proof of the pudding
Flan Scan is not an original invention. Instead, the release is a wrapper around Nmap, a network scanner long popular with penetration testers.
The script pings a third-party remote server – the vulners.com API – to check if the target software has been connected to known security issues, and its use can be restricted to CVSS scores of particular severity levels.
Flan Scan uses Nmap to run an ICMP ping scan, SYN port scan, service detection checks, TCP handshake and banner grabbing scans, as well as optional UDP and IPv6 address scans.
Vulners then comes into play, providing data on known vulnerabilities in detected services.
Flan Scan, which comprises Nmap and vulners, has been packaged in a Docker container. Results are sent to Google Cloud Storage or S3 buckets.
Perhaps the only real difference from existing usage of the technology is the next stage, in which Flan Scan uses Python to convert Nmap output into actionable LaTeX reports.
What’s in a name?
“Cloudflare’s mission is to help build a better internet for everyone, not just internet giants who can afford to buy expensive tools,” the firm says.
“We’re open sourcing Flan Scan because we believe it shouldn’t cost tons of money to have strong network security.”
The mission sounds honorable, but the name of the tool has already been met with some amusement, along with the logo, which has been connected widely to the Filipino Leche flan dish.
Dessert storm: Cloudflare launched Flan Scan this week
Humor aside, however, Cloudflare is facing backlash from the cybersecurity community over Flan Scan, with phrases including “check box compliance”, “rip-off”, and “bullshit” flying around the internet.
Cloudflare has not said it relies on Flan Scan alone. Rather, the tool is used in tandem with osquery, which performs host-based vulnerability tracking.
Regardless, users discussing the release on Reddit this week have noted that the scan itself is only superficial and focuses on matching known vulnerabilities to services, rather than acting as a ‘true’ vulnerability scanner that’s able to test for security holes.
“I actually cannot believe they are going public with this and open sourcing,” commented Reddit user ki11a11hippies, who claims to be a Cloudflare customer.
“I’m not going to be the only customer with questions and concerns. Nmap+vulners isn’t doing the deep level authenticated scanning of a Nessus or Rapid7 – it’s doing surface-level version probes of open ports and matching to CVEs. [Cloudflare] just severely cheaped out on their vulnerability management program for a very simplistic wrapper to Nmap.”
False positives, too, have been highlighted as a potential problem. And others have queried why Cloudflare appears to be relying on Flan Scan, rather than potential alternatives such as Tenable’s Nessus, which is able to test whether or not software is vulnerable to specific security issues.
In summary of the tool, user ipaqmaster commented, “A quick potential automated insight, but nothing actually useful for a compromise”.
“The goal of the project has been to develop a vulnerability scanner that is completely free, deployable in 10 minutes, and will help set a strong security baseline,” Joe Sullivan, Cloudflare’s chief security officer, told The Daily Swig.
“This tool fundamentally works similarly to big name vulnerability scanners, by banner grabbing and matching service versions to vulnerabilities. We look forward to getting constructive feedback and invite collaboration as we continue to work on and expand it. That is part of the reason we open-sourced it.”
This article has been updated to include comment from Cloudflare.