Vulnerability Assessment

A vulnerability assessment is the testing process used to identify and assign severity levels to as many security vulnerabilities or defects as possible in a defined timeframe. This process may involve automated and manual techniques with varying degrees of emphasis on comprehensive coverage. Using a risk-based approach, vulnerability assessments may target different layers of technology, the most common being server, networking, and application layer assessments.

There are 3 major objectives of vulnerability assessment.

1. Identify known and prioritize the vulnerabilities.

2. Document the vulnerabilities so that customers can easily identify and reproduce the findings.

3. Create guidance to assist customers with remediating the identified vulnerabilities.

There are several types of vulnerability assessments as the following.

Server or Host – The assessment of critical servers, which may be vulnerable to attacks if not adequately tested or not generated from a tested machine image.

Network and wireless – The assessment of policies and practices to prevent unauthorized access to private or public networks and network-accessible resources.

Database – The assessment of databases or big data systems for vulnerabilities and misconfigurations, identifying rogue databases or insecure dev/test environments, and classifying sensitive data across an organization’s infrastructure.

Application – The identifying of security vulnerabilities in web applications and their source code by automated scans on the front-end or static/dynamic analysis of source code.