Thursday, 16 May 2013

Vulnerability Assessment

No matter how well developed a website or application is it can still be vulnerable to attack, there can still be unknown security risks. These risks are realised more and more today as hacking and exploitation becomes more prevalent. The only way to ensure the risks are known is to conduct a Vulnerability Assessment.

A Vulnerability Assessment is performed in consideration of both the target web site or application and the network it is hosted on. The assessment evaluates what threats exist and the current defenses and remediation strategies.

Whereas audits focus on measuring compliance to policy & standards that are relatively static, assessments are more dynamic, conducted to evaluate current & emerging threats.

Performing a Vulnerability Assessment
As with Audits, a Vulnerability Assessment is usually conducted against a live network, however the auditor may or may not have knowledge of the system under test and may not have privileged credentials. This is dependent on whether you want testing to be done solely from the 'outside', like an attacker would or also 'inside', which is more thorough and is recommended.

The assessment will be carried out using commercial applications, in-house developed tools, bespoke scripts and manual exploratory testing, using a range of real world attack techniques and relevant vectors. A comprehensive Vulnerability Assessment Report should be created that shows the exact details of the vulnerability and its recommended remediation.

Note: Vulnerabilities are not exploited as this can compromise live systems.

Liked this post?