In order to protect your systems against attackers it is important to investigate those systems as thoroughly as possible for vulnerabilities. An efficient method for doing this is a vulnerability assessment. This will provide you with insight into the security of all the investigated systems in a structured manner. Moreover, the investigation is highly transparent and open to repetition.
What is a vulnerability assessment?
A vulnerability assessment is an extensive investigation that involves identifying and classifying the vulnerabilities in your IT systems. These systems may comprise web applications or the underlying infrastructure. A vulnerability assessment differs from a penetration test in that a vulnerability assessment is not aimed at penetrating as deep as possible, but in providing you with an exhaustive overview of all the vulnerabilities. When a vulnerability assessment reveals no vulnerabilities, then you are certain that the state of security of the investigated system is good.
What do we do during a vulnerability assessment?
During a vulnerability assessment we check the systems within the scope for all the types of vulnerabilities of which we are aware. This means we also identify ‘defence in depth’ items: measures you can take in order to ensure a higher security level. In order to carry out this assessment we make use of checklists of types of vulnerabilities, which we then go through exhaustively and manually (supported by tools) throughout the whole scope. Hacking inevitably involves creative human actions and our approach does, of course, allow ample space for that. However, by making use of checklists, and basing the report on those, as client you will receive a fully transparent test that is also open to repetition. Moreover, you will not only gain insight into your vulnerabilities, but also into the factors that presently contribute to the security of your systems.
What do you get after a vulnerability assessment?
All of the findings from our investigation will be processed in an extensive report, which we will discuss with you personally. This will provide you with not only a complete picture of the existing vulnerabilities, but you will also be given handles which you can put to use immediately. We set out our recommendations with developers and system administrators in mind and, moreover, we do not leave until we know it is clear to everyone what needs to happen in order to solve the vulnerabilities that have been discovered.
Vulnerability assessment versus pen test
A vulnerability assessment is not the same as a penetration test. The latter is often carried out with the sole purpose of demonstrating that security can be breached. During a vulnerability assessment as many vulnerabilities as possible are identified that an attacker could use in a (targeted) attack. This means that the investigation is exhaustive and provides a full insight. A vulnerability assessment comprises a clearly defined scope, usually in a web application or server park. A pen test, in comparison, will often take “the organisation” as its scope and, by definition, is not as complete in the insight offered. A pen test therefore answers a different security question than that in a vulnerability assessment: