A Vulnerability Assessment also known as Vulnerability Testing attempts to discover security issues within applications or infrastructure the way a penetration test does, however a vulnerability assessment does not verify the existence of the vulnerability by attempting exploitation. Instead as much evidence as possible is recovered to support the finding without attempting exploitation.
Aptive offer custom automated vulnerability scanning performed weekly, monthly or quarterly, allowing for regular checks of both legacy and newly discovered vulnerabilities, this service is designed to complement regular penetration testing. Without regular security auditing of your systems there is no way of knowing if your organisation has vulnerabilities exposed. For example, a legacy machine could have been booted and due to incorrect firewall policies could be accessible to the outside world, your organisation would have no way of knowing this risk existed without regular security auditing.
Regular scanning can help detect changes and automatically scan for newly discovered vulnerabilities, this service compliments our penetration testing services.
The Payment Card Industry Data Security Standard (PCI DSS) compliance requires that merchants accepting credit cards, conduct quarterly vulnerability scans (every 3 months) of their environment, both internally and externally.
External vulnerability testing is performed from outside of your organisation’s network and must include all of your external IP addresses. Regular external vulnerability testing helps identify exposed vulnerabilities and compliment the annual penetration testing also required for PCI DSS compliance.
Internal vulnerability scans must take place from a number of locations within your network to test the security of all systems within the cardholder data environment (CDE). Internal VA provides an internal overview of the state of security within your network and identifies flaws that that an attacker could potentially exploit after gaining access to your internal network.
Vulnerability scans must be performed at least on a quarterly basis, additional scans are required whenever there are significant infrastructure changes to your cardholder data environment.
If your organisation has never performed a penetration test before, a vulnerability assessment is a good starting point to gain an overview of your network security. Below are some of the primary advantages of a vulnerability test:
Additionally, quarterly vulnerability assessments are a requirement for PCI DSS, which must be performed every 3 months (4 times a year).
Regular vulnerability assessments can help detect changes and automatically scan for newly discovered vulnerabilities, this service compliments our manual penetration testing services.