It is not always easy to identify the appropriate security service an organization will need to accomplish its short term goals. When it comes to securing systems, assets, and applications, there are multiple types of services that can be engaged to provide an understanding of the risks and vulnerabilities that exist within the environment.
This article dives deeply into vulnerability assessments and what a business should expect when engaging a consultant to provide one. We’ll look at what the service is, how it is performed, what are the deliverables, and the potential costs to your firm, relative to the benefits.
- What is a Vulnerability Assessment?
- The Process
- What Tools Are Used?
- What Kind of Reporting Do You Get?
- How Long Does It Take and What Is the Cost?
- How do VAs Differ from One Consultancy to the Next?
- What Happens After a Vulnerability Assessment?
- Goals: Compliance or Security?
- Is a VA Right For Your Organization?
What is a Vulnerability Assessment?
A vulnerability assessment, which is known by many terms (vulnerability testing, vulnerability analysis, VA), is the process of evaluating systems, applications, networks, or other organization assets for weaknesses, or vulnerabilities. This is never a one-size-fits-all, and the types of tools and testing will be different for networks, applications, wireless networks, or databases. However, the end goal is always the same, identify critical security vulnerabilities and weaknesses that could result in a security breach or the exposure of sensitive data.
Not only can a vulnerability assessment assist with providing valuable information on the security posture of the organization; it can also help with validating that the security program controls, processes, and procedures are functioning adequately.
These assessments are typically not time-consuming and can provide a great point-in-time assessment to understand if servers, network equipment, or applications are being deployed and managed, according to internal requirements.
Since there are multiple types of vulnerability assessments, an organization can take a targeted approach to the assessment by focusing on the type of asset with which it is concerned. Some of the most common vulnerability assessments that can be contracted for include:
- Network, either internal or external: Identify vulnerabilities or misconfigurations in the network
- Application, either source code, dynamic, or API method assessments: Identify exploitable, potential vulnerabilities, and misconfigurations in applications that are deployed or in the source code
- Wireless networks: Identify misconfiguration, weak protocols, or vulnerabilities in a wireless network deployment
- Database: Identify vulnerabilities and misconfigurations of a database that could lead to data exposure or exploitation that could result in a security breach
- Host-based: Identify vulnerabilities and misconfiguration in the host OS and any installed software residing on the server or workstation through authenticated scanning and testing
So, just like penetration testing, there are multiple types of vulnerability assessments.
What are some of the key differences between a penetration test and a vulnerability assessment?
A penetration test will include a vulnerability assessment as part of the methodology to provide a comprehensive list of vulnerabilities. With a vulnerability assessment, you will receive a listing of identified vulnerabilities and recommendations, but you will not get a full understanding of the exploitability or impact of any particular vulnerability.
(IMPORTANT: We compiled this free report showing pricing data from 10 real Vulnerability Assessments so your firm can benchmark VA costs and avoid overpaying.)
In a penetration test, you will get a strong narrative of how vulnerabilities will be exploited and a clear recommendation of high priority findings for remediation, but findings in a pen test report may not be presented in a format that is importable to management tools.
While both will have aspects of automated and manual techniques, a VA will only use its techniques to spot and name the vulnerabilities. Penetration tests, by contrast, will use different automated and manual techniques to simulate a real security breach and provide supporting data related to the impact and severity of the vulnerabilities being exploited.
The other key difference is that a vulnerability assessment is typically a much smaller investment in time than a penetration test, often a quarter of the total time.
>>> See this article for a more in-depth breakdown of the differences between penetration tests and vulnerability scans.
The vulnerability assessment process will start out very similar to the process for a penetration test. A penetration test often includes vulnerability testing as the initial steps or core component.
The process will include the following steps:
- Identification of scope entails information like what IP address blocks are to be assessed, application domains and user roles, source code, API methods, database size, and wireless SSID
- Deployment, where applicable, of vulnerability scanners or tools
- Identification of sensitive data or confidential data within the systems
- Discovery scanning, which may include scanning of IP addresses, ports, protocols for network scans, or application crawling to identify all possible pages within an application
- Identify vulnerabilities through automated and manual techniques
- Vulnerability analysis to validate, assign appropriate risk rating and recommended remediation actions
- Reporting will contain an executive summary of what was found and detailed results
What Tools Are Used?
As automated testing is a key component of a vulnerability assessment, tools are very important when conducting a VA.
In many cases, the same tools used for a vulnerability assessment will be used as part of penetration testing early stages. The tools utilized for testing are dependent on the type of assessment being conducted.
- Network: Scanning tools that focus on network IP addresses, ports, protocols, and fingerprinting such as Nmap, OpenVAS, Qualys, Nexpose
- Applications: There are multiple types of tools for applications depending on the focus of testing.
- Dynamic Application Scanning Tool: Utilized against the application in a deployed state
- Static Application Scanning Tool: Utilized to scan source code and perform some basic code execution path evaluation to identify vulnerabilities
- Fuzz Testing Tool: Similar to a DAST, this tool is run against the deployed application, but it sends random data at the API methods and application forms to identify vulnerabilities, poor performance, or denial of service weaknesses
- Database: Tools that are specialized to identify vulnerabilities and configuration issues in database deployments
What Kind of Reporting Do You Get?
As previously mentioned in this article, reporting is a key step in the process. Reporting for a vulnerability assessment will tend to be more straightforward when compared to a penetration test report.
As the main goal for a vulnerability assessment is to identify and validate vulnerabilities and misconfigurations in the environment, most of the reporting will be focused on providing details of what was found and perceived risk rating. The end report will often provide additional information on network or application tested, details like a total number of IP addresses that respond, common ports and protocols exposed, and a breakdown of total vulnerabilities by risk rating.
Often, a VA report provides more value to the technical teams and is used to help with the prioritization of findings.
So what is the difference between a vulnerability assessment report and a penetration testing report? They both contain information on vulnerabilities and weaknesses in the organization, but a vulnerability assessment will not provide a story or narrative beyond the vulnerabilities being identified. Since a penetration test involves hands-on exploitation of vulnerabilities to gain access to data, networks, or systems, the final report will read more like a story of how it happened. Since multiple vulnerabilities may be exploited as part of the simulated breach, this is required to fully understand how best to prevent that breach when remediating.
Both have their value and if an organization is wanting to address all vulnerabilities, a vulnerability assessment will be required, as it will be more cost-effective.
How Long Does It Take and What Is the Cost?
One of the biggest benefits of a vulnerability assessment is that it often can be completed with a low investment of time and money. In most cases, a vulnerability assessment can be completed within a day and at most a business week for a very large test.
Since a vendor is going to charge by the total time required for the engagement, this equates to a small cost to conduct a test.
In many cases, a vulnerability assessment can be completed for a cost between $1,000 and $5,000 to the organization.
When it comes to time and cost, the biggest factor for any vulnerability assessment is the size of the asset being tested. This can take the form of a total number of IP addresses, application size or the number of applications being scanned, or the number of databases being scanned.
There is not much else when it comes to calculating the time for a test, as a vulnerability assessment is heavily dependent on automated tools with limited manual testing.
>>> We’ve written in-depth about the costs of vulnerability assessments in this article.
How do VAs Differ from One Consultancy to the Next?
In general, a VA does not differ much from one consultancy to another, as the overall methodology and tools utilized will be very similar. With that being said, tool vendors may be different, which can have an impact on vulnerabilities identified and reporting provided, but the overall methodology will be very similar.
Reporting is the most visible difference between consultancies. Every vendor or consultancy will have its style, fonts, and look and feel for its reports. This may even involve a variety of value-add metrics, graphs, and information that can be gleaned from the testing provided.
Further, some vendors may have a full web-based UI and set of APIs that can be integrated to help with pulling data from the platform. When talking with consultancies, it is always a good idea to ask for samples of deliverables and, for those that provide a web UI to access the data, a walk-through of their platform.
What Happens After a Vulnerability Assessment?
After the engagement has been completed, the security team or other engineering teams will need to review the results to identify and understand threats that may be posed by these vulnerabilities to the organization. At this point, the organization will shift to vulnerability management through understanding the impact and appropriately prioritizing the vulnerabilities for remediation.
After the testing is completed and findings are provided, it is a good idea to have teams spend time reviewing vulnerabilities against the in-scope assets to validate findings. It is not uncommon to have a network vulnerability assessment identify a server or system as the wrong version, so simply reviewing the OS version against what was identified can rule out false positives.
Shortly after this, ideally, critical vulnerabilities will be identified for remediation and prioritized as part of ongoing work within the organization.
Another option for organizations, especially those that are limited in staff capacity, is remediation assistance. Remediation services are typically offered on network, host, and wireless vulnerability assessments as an add-on service. The consultancy will provide a detailed approach that includes recommendations along with prioritization for remediation.
There is great value in engaging this service as there can be a long list of vulnerabilities that will need to be remediated and this would alleviate the time commitment of your own teams after the assessment. When engaging with this kind of add-on service, it often comes with validation testing to provide evidence and proof that vulnerabilities have been resolved. This can be a real effort and stress saver for any organization that is limited in resource capacity.
Goals: Compliance or Security?
Before answering if a vulnerability assessment is right for your organization, one of the first questions to ask is what your goal is. Is your organization in the early stages of meeting compliance requirements like PCI-DSS or SOC2? Or, is your organization most interested in developing a strong robust security program? Keeping in mind that while you can attain both, most organizations start their journey on one side or the other.
It is important to understand what the primary goal is before deciding on the appropriate service. A vulnerability assessment can often meet regulatory requirements for testing as it does provide an understanding of vulnerabilities and posture. However, it does not provide a clear picture of the overall security posture simply because it does not exploit the vulnerabilities.
If the organization is most interested in operating as securely as possible, penetration testing provides the data points needed to accomplish this. By exploiting the vulnerabilities, a clear picture or story can be written about how multiple issues, whether vulnerabilities or misconfigurations, can be paired together to gain full access to sensitive data. A vulnerability assessment stops short of exploit and only provides a surface view of the security posture.
Is a VA Right For Your Organization?
The ideal organization to engage in a vulnerability assessment would be an organization in the early stages of building and deploying security controls, processes, and procedures.
Often, this is related to a company with a small security team or a team that manages security and other practices within the organization. For these organizations, there is a lot of value to be gained by engaging an external consultancy to perform the test, as opposed to purchasing and implementing a tool. Not only is there a large effort to bring a tool into the environment, but it also requires a great deal of maintenance and oversight going forward.
Most organizations that are further along on the security program maturity lifecycle will have automated tools that can provide this kind of data. In those cases, engaging in a penetration test to better identify areas to focus on will be of greater value. To be frank, there is not much value to be gained from having a vulnerability assessment conducted by an external consultancy for an organization like this, as the vulnerabilities should already be being identified by automated tools.