A Vulnerability Assessment also known as Vulnerability Testing attempts to discover security issues within applications or infrastructure the same as a penetration test, however it does not verify the existence of the vulnerability by attempting exploitation. Instead as much evidence as possible is recovered to support the finding without attempting exploitation. There are two types of vulnerability assessment, manual and automated. More information about these services can be found on their respective services page.
Table of Contents
If your organisation has never had a penetration test before, a vulnerability assessment is a good starting point to gain an overview of your network security. Below are some of the primary advantages of a vulnerability assessment:
Additionally, quarterly vulnerability assessments are a requirement for PCI DSS, which must be performed every 3 months (4 times a year).
Regular vulnerability assessments can help detect changes and automatically scan for newly discovered vulnerabilities, this service compliments our manual penetration testing services.
Vulnerability testing helps identify potential security vulnerabilities without attempting to exploit the system. On a manual vulnerability test the consultant will provide as much evidence as possible to backup the finding, however due to the limitation of not being able to exploit the vulnerability, truly verifying if a system is exploitable to a discovered vulnerability is not possible.
Manually combining discovered security issues together to leverage a higher security vulnerability or in some cases a compromise is not possible with a vulnerability assessment.
Advancement, commonly known as “pivoting” is also not possible on a vulnerability assessment, due to no machines being compromised, and therefore cannot be used a network entry points.