Effective security scanning

Security scanning is a common procedure used to assess the security posture of a system or application. This scanning can take many forms, from automated scans that test a variety of rules or failure conditions, to tools that fuzz APIs by providing intentionally random or malicious inputs to search for vulnerabilities, to active measure such as penetration testing carried out by teams of professionals.

Security scanning can be carried out against a specific application, such as one that is built with an ArcGIS SDK or included as an embedded ArcGIS app. Or, it can be applied to an entire system, using as many different scanning types and approaches as there are systems to be scanned. Many security scans will result in a reported number of issues that range in severity from low, or informational, to high or critical alerts, and are based on either known exploitable vulnerabilities or potentially exploitable situations. The assessment of what is a low risk or a high risk is often highly subjective, and may depend on the scanning framework or vendor who provides the services, or may be based on an external risk assessment like a Common Vulnerability Scoring System (CVSS) score. In any case, the initial risk must be weighed against the possibility of exploit, which has to do with the accessibility of the system, whether the affected software is exposed to end user requests, and whether it is used or implemented in a way that leaves the system vulnerable to the identified issue.

ArcGIS is built with a wide array of third-party libraries and exposes a range of APIs and endpoints developed by Esri. It is common that security scans result in potential issues that need to be reviewed and verified by the organization to assess their potential for exploit and relevance before they are submitted to Esri for review and action. For example, a scan that detects a vulnerability on an ArcGIS Server administrative endpoint may not take into account the fact that in that environment, the administrative endpoints are not made available to end users (by disabling administrative access in the ArcGIS Web Adaptor, for example) and as such, the finding may be considered a false positive as there is no realistic exploit for that issue.

Recommendations

Consider these important notes and recommendations related to security scanning:

• Prior to running an automated scan, ensure that your system has been configured to follow Esri security best practices. This can be done using the ArcGIS Security and Privacy Advisor tool or following the recommendations of the serverScan.py and portalScan.py tools. More information about securing your configuration can be found at the ArcGIS Trust Center.
• Active penetration testing (or pen testing) of ArcGIS Online is not allowed under Esri’s Master License Agreement. Connect with your Esri account team for further questions about security testing against ArcGIS Online.
• Security scan reports should first be reviewed with your organization’s security team to understand what level of severity is of most concern, and whether these issues are truly issues of concern or potential false positives or truly exploitable vulnerabilities.
• Many open source software libraries or modules fix security issues through patches or new version releases, but be aware that upgrading an internal component of ArcGIS manually will leave your system in an unsupported, and potentially unstable condition. The only correct mitigation of such an issue is through either a patch or new software release from Esri that updates the third-party component or library. Esri actively reviews publicly announced issues and introduces third party component updates with each release to mitigate these risks.

Additional resources related to security scanning are available in the ArcGIS Vulnerability Scanning Guidance document in the ArcGIS Trust Center (requires ArcGIS login for access).