Vulnerability Scanning Overview

Fence performs comprehensive security scanning across multiple dimensions to identify vulnerabilities in your web applications.

What Fence Scans

1. SSL/TLS Security

Certificate validity and expiration
Weak cipher suites (RC4, DES, 3DES)
Protocol vulnerabilities (SSLv2, SSLv3, TLS 1.0/1.1)
Certificate chain issues
Heartbleed, POODLE, BEAST, and other SSL attacks
Self-signed certificates

2. OWASP Top 10 Vulnerabilities

Broken Access Control - Unauthorized access to resources
Cryptographic Failures - Weak encryption, exposed secrets
Injection - SQL injection, command injection, LDAP injection
Insecure Design - Architecture flaws and business logic bugs
Security Misconfiguration - Default configs, unnecessary features
Vulnerable Components - Outdated libraries and frameworks
Authentication Failures - Weak passwords, session management issues
Data Integrity Failures - Insecure deserialization, unsigned updates
Logging Failures - Insufficient logging and monitoring
SSRF - Server-Side Request Forgery

3. CVE Detection

Known vulnerabilities from the National Vulnerability Database (NVD)
Coverage of CVEs from 2000-2025 (3,490+ templates)
Version detection for common software
Severity scoring (CVSS v2, v3, v4)

4. Security Headers

Missing or misconfigured security headers:
Content-Security-Policy (CSP)
Strict-Transport-Security (HSTS)
X-Frame-Options (clickjacking protection)
X-Content-Type-Options (MIME sniffing protection)
Referrer-Policy
Permissions-Policy

5. Information Disclosure

Exposed configuration files (.env, web.config, etc.)
Directory listings
Version information in headers
Debug mode enabled
Exposed API keys (AWS, GitHub, Stripe, Google, Slack)

Scanning Frequency

Tier	Scan Frequency	On-Demand Scans
Hobby	Weekly	No
Startup	Daily	No
Enterprise	Hourly	Yes
Custom	Custom (configurable)	Yes

Scan Types

Fence offers several scan types to match your needs:

Full Scan

Combines all scanners for comprehensive coverage:
- SSL/TLS certificate and configuration analysis
- OWASP Top 10 vulnerability detection
- CVE scanning with Nuclei templates
- Security headers analysis
- Port scanning and service detection
- Information disclosure checks

Duration: 5-10 minutes per domain
Availability: All tiers

Targeted Scans

Run individual scanner types for faster results:
- SSL Scan - Certificate and TLS configuration only (30 seconds)
- Headers Scan - Security headers analysis only (10 seconds)
- OWASP Scan - Web application vulnerabilities (3-5 minutes)
- CVE Scan - Known vulnerability detection (2-3 minutes)
- Port Scan - Network service enumeration (1-2 minutes)

Availability: Startup tier and above

Scanner Technology

Fence uses industry-standard security tools:

Scanner	Purpose	Technology
SSLyze	SSL/TLS deep scanning	Python cryptography library
Wapiti	OWASP Top 10 detection	Web application scanner
Nuclei	CVE detection	Template-based vulnerability scanner
Nmap	Port scanning	Network mapper
Nettacker	Multi-protocol scanning	Automated penetration testing
Custom	Info disclosure, headers	Python requests + custom logic

Scan Results

After each scan, Fence provides:

Vulnerability Details

Plain English description - What the vulnerability is
Business impact - Why it matters to your business
Severity rating - Critical, High, Medium, Low, Info
CVSS score - Industry-standard risk scoring
CWE classification - Common Weakness Enumeration category
OWASP mapping - Which OWASP Top 10 category it falls under

Remediation Guidance

Fix summary - Quick overview of the fix
Difficulty rating - Easy, Medium, Hard
Step-by-step instructions - Detailed remediation steps
Code examples - Sample fixes for popular frameworks (Django, Flask, Express, Rails)
Configuration examples - Nginx, Apache, Cloudflare configs
References - Links to OWASP, NIST NVD, MITRE, MDN docs

Scan History

Hobby tier: 90 days of scan history
Startup/Enterprise/Custom: 1 year of scan history
Trend analysis: See how vulnerabilities change over time
Compliance reports: PCI DSS, HIPAA, ISO 27001 mapping (Startup+)

False Positives

All automated scanners have false positive rates. Fence minimizes these through:

Multi-scanner validation - Cross-reference findings across scanners
Template matching - Link findings to our 3,541+ vulnerability templates
Manual review - Enterprise tier includes manual pentesting validation
Feedback loop - Mark false positives to improve accuracy

Estimated false positive rate: 5-10% (industry average is 15-25%)

Scan Limitations

What Fence CAN Scan

✅ Public-facing web applications
✅ SSL/TLS certificates
✅ Security headers
✅ Known CVEs
✅ OWASP Top 10 vulnerabilities
✅ .onion sites (Startup+ tier)
✅ API endpoints (Enterprise+ tier)

What Fence CANNOT Scan (yet)

❌ Internal/private applications (Enterprise Internal Scanner in development)
❌ Mobile apps (iOS/Android binary analysis)
❌ Source code (SAST capabilities coming Q2 2025)
❌ Infrastructure (AWS/Azure/GCP posture scanning)
❌ Containers/Kubernetes (Docker security scanning)

Note: Enterprise tier includes internal scanner access for cloud posture, secret scanning, and container security.

Compliance Mapping

Fence scans help you meet compliance requirements:

Standard	What Fence Checks
PCI DSS	Requirement 6.6 (vulnerability scanning), 4.1 (TLS 1.2+), 6.2 (security patches)
HIPAA	§ 164.308(a)(8) (vulnerability assessment), § 164.312(e)(1) (encryption)
NIST 800-171	3.11.2 (vulnerability scanning), 3.13.10 (cryptographic protection)
ISO 27001	A.12.6.1 (vulnerability management), A.10.1.1 (cryptographic controls)
SOC 2	CC7.1 (vulnerability detection), CC6.7 (encryption)