No matter how
well developed a website or application is it can still be vulnerable to
attack, there can still be unknown security risks. These risks are realised
more and more today as hacking and exploitation becomes
more prevalent. The only way to ensure the risks are known is to conduct a Vulnerability Assessment.
A
Vulnerability Assessment is performed in consideration of both the target web
site or application and the network it is hosted on. The assessment evaluates
what threats exist and the current defenses and remediation strategies.
Whereas audits focus on
measuring compliance to policy & standards that are relatively static,
assessments are more dynamic, conducted to evaluate current & emerging
threats.
Performing a Vulnerability Assessment
As with
Audits, a Vulnerability Assessment is usually conducted against a live network,
however the auditor may or may not have knowledge of the system under test and
may not have privileged credentials. This is dependent on whether you want
testing to be done solely from the 'outside',
like an attacker would or also 'inside',
which is more thorough and is recommended.
The
assessment will be carried out using commercial applications, in-house
developed tools, bespoke scripts and manual exploratory testing, using a range
of real world attack techniques and relevant vectors. A comprehensive Vulnerability Assessment Report should
be created that shows the exact details of the vulnerability and its
recommended remediation.
Note: Vulnerabilities are not exploited
as this can compromise live systems.
Liked this post?
Say thanks by Following the blog or subscribing to the YouTube Channel!