Skip to content

Security Scanning — Trivia & Interesting Facts

Surprising, historical, and little-known facts about security scanning.

Nmap was first released in a Phrack magazine article in 1997

Gordon "Fyodor" Lyon published Nmap in Phrack Magazine issue 51 in September 1997. The original version was about 2,000 lines of C code. By the mid-2020s, Nmap had grown to over 300,000 lines and could fingerprint over 5,000 operating system versions. It has appeared in at least 14 movies, including The Matrix Reloaded, where Trinity uses it on screen.

The first vulnerability scanner was created by a high school student

Dan Farmer co-authored SATAN (Security Administrator Tool for Analyzing Networks) in 1995 while working with Wietse Venema. The release was extremely controversial — critics claimed it would enable script kiddies. CIAC at the Department of Energy issued an advisory, and many organizations banned its use. Today, automated vulnerability scanning is considered a basic security hygiene practice.

Nessus was open-source for 12 years before going proprietary

Nessus, one of the most widely used vulnerability scanners, was released as open-source software by Renaud Deraison in 1998. In 2005, Tenable Network Security closed the source code starting with version 3.0. The open-source community forked the last open version into OpenVAS (now Greenbone Vulnerability Management), which continues development today.

CVE-2021-44228 (Log4Shell) generated over 10 million scan events in 72 hours

When the Log4Shell vulnerability in Apache Log4j was disclosed on December 9, 2021, security scanning traffic exploded. Cloudflare reported blocking over 10 million exploit attempts in the first 72 hours. Every vulnerability scanner on earth was updated within days, and the scanning traffic was so intense that some organizations' WAFs crashed under the load.

Static analysis tools produce false positive rates between 30% and 90%

Academic studies consistently find that static application security testing (SAST) tools produce false positive rates ranging from 30% to over 90%, depending on the tool and codebase. This "alert fatigue" is a major reason why developers often ignore security scanning results, creating a paradox where more scanning can sometimes lead to worse security outcomes.

The National Vulnerability Database contains over 200,000 CVEs

NIST's NVD surpassed 200,000 cataloged vulnerabilities (CVEs) in 2023. The database receives roughly 25,000 new CVEs per year, meaning approximately 68 new vulnerabilities are published every single day. The true number of software vulnerabilities is believed to be orders of magnitude higher.

Container image scanning was not a thing until 2015

Before Docker's explosive growth in 2013-2015, there was no concept of "container image scanning." CoreOS launched Clair, the first open-source container vulnerability scanner, in November 2015. Today, container scanning is considered mandatory in production pipelines, with tools like Trivy, Grype, and Snyk scanning millions of images daily.

Shodan indexes over 8 billion devices connected to the internet

Shodan, created by John Matherly in 2009 as a side project, continuously scans the entire IPv4 address space and indexes banners from internet-connected devices. It has found everything from unprotected power plants and traffic light controllers to webcams and medical devices. Matherly has called it "the scariest search engine on the internet."

OWASP ZAP was maintained by a single person for over a decade

OWASP ZAP (Zed Attack Proxy), one of the most popular free web application security scanners, was primarily developed and maintained by Simon Bennetts from 2010 to 2023. He worked on it full-time at Mozilla for several years. The project has been downloaded over 400 million times and is used by security teams worldwide.

Fuzzing found over 40,000 bugs in the Linux kernel

Google's syzkaller kernel fuzzer, along with related fuzzing efforts, has found tens of thousands of bugs in the Linux kernel since its introduction in 2015. OSS-Fuzz, Google's continuous fuzzing service for open-source projects, has found over 10,000 vulnerabilities and 36,000 bugs across 1,000 projects as of 2024.