Vulnerability is a weakness in the security of a software product which is caused due to a faulty implementation or design of the system. For example, if a hacker can easily guess the password of a web application, this should be regarded as a serious vulnerability in the system.
A vulnerability assessment is merely a security testing procedure to measure this security risk with recommended corrective actions before the application is released to the public or the targeted users.
What are the goals of Vulnerability Assessment?
The goals of vulnerability assessment are to:
- Reduce the risks of security breaches
- Protect the confidentiality of an organization
- Protect the user’s data and wealth (yes wealth! Imagine the application under attack is an internet banking application.)
- Ultimately, keep the web a safe place where users can communicate and transact securely
Steps in Vulnerability Assessment
1. Know and Assess the System
First thing as a security professional, you need to learn and assess the system. You may need to ask several questions to know and assess the system. Some of them are
- What does this system do? (For example, an internet banking application)
- What kind of information does this system deal with? (For example, bank accounts and money)
- What are the possible risks to the targeted user? (For example, loss of wealth )
2. Planning and Preparation
Once you have learned the system, you need to setup the plan and scope of vulnerability assessment. This stage will give you a fair idea of what to do in the coming phases. That is, what system should be included in the assessment and what types of scans (such as whether external or internal scans) are needed, What type of scanners to be used, what are the risks to be identified, whether unauthorized attack, data leakage, unprivileged usage, data destruction etc.
3. Vulnerability Scan
This is where you scan the system for security risks. Various scanning tools can be used here based on the scope of testing. One or multiple phases of scanning will be performed before a final report is produced. Vulnerabilities identified after the scanning will then be listed against the risks mentioned in the scope of testing, then a risk rating will be attached against the vulnerabilities found.
4. Defining Remediation Actions
After the vulnerabilities have been assessed against their risks, the remedial action will be initiated. The security officer will initiate this process by marking the risk rating and the corrective action against each vulnerability. The IT department can also jump in and suggest any available security patches in order to strengthen the security of a particular module or configuration.
5. Implementation of Remediating Actions
In this step, the IT department will perform corrective actions based on the recommendation provided by the security officer. If it’s not possible to implement a recommended action, the IT department can inform the security officer and he or she will suggest alternative solutions in order to mitigate the risk. For example, whether a particular service is found to be vulnerable and a security patch can be applied in order to remove the risk. But if in practice, the security patch doesn’t remove the vulnerability, the security officer can then recommend to IT an alternative solution, for example, to restrict network access to this particular service.
This will be the final step in the vulnerability assessment procedure. After applying all the corrective actions, the scanning will be performed again to re-confirm whether the vulnerabilities have been removed. All these actions will be recorded for future review and analysis.
Types of Vulnerability Scanners
This type will detect problems in the host or system. This is done using host-based scanners in order to diagnose weaknesses. Host-based tools need mediator software at the target system. It traces the event and reports it to the security analyst.
This will detect an open port and identify unknown services that work on these ports. It discloses vulnerabilities related to the services. The process is carried out using network-based Scanners.
This process helps discover the security flaws of a database system, such as SQL injection. If rogue users inject an SQL statement into a database, they could have illegal access to sensitive data to use as they want.
Advantages of Vulnerability Assessment
- Identifies all vulnerabilities
- Implementation can be fully automated
- Easy to set up
Disadvantages of Vulnerability Assessment
- Chances of false positive rate.
- Can be detected by System Firewall.
- May prevent you from noticing new vulnerabilities if not kept updated.
The full process of vulnerability testing is composed of two parts – vulnerability assessment as described above, and penetration testing. Although the two components are dissimilar in terms of functionality and strength, for generating an authoritative report on vulnerability testing, both processes will need to be utilized.