Vulnerability Assessment and Penetration Testing May 19, 2014 by tal Vulnerability testing is critical for the security of company information and assets. There are currently two types of vulnerability testing, and although they sound similar, they both have different methods of achieving results. A vulnerability assessment is the use of scanning tools to scan the network in order to find vulnerabilities or flaws that could potentially be exploited by unauthorized users. This is typically the first step in vulnerability testing as it will find common vulnerabilities that attackers using network scanners would find. It does have its limitations, as it is limited to vulnerabilities and flaws that have been pre-programmed into the software. Penetration testing consists of two separate methods. The first method is the use of tools to attempt to exploit known vulnerabilities. The second method involves the use of a security professional to attempt to hack into the network using his knowledge and skills. This is typically the best method as it will expose any flaws that network scanners miss, vulnerabilities that could be exploited by a skilled hacker. Why Vulnerability Assessment and Penetration Testing is critical Vulnerability Assessment and Penetration Testing provide companies with a comprehensive evaluation—better than any single scan or test will provide. This provides the security team with a detailed analysis of the areas that need to be properly secured or patched. Malicious attacks and malware account for the vast majority of threats that company’s face on the web, but threats can exist within third-party applications and software as well, so all areas of the network must be tested. Vulnerability Assessment and Penetration Testing process The first step is to find a professional security expert, typically an ethical hacker or other security expert. This expert will work with the company IT team (if applicable) to perform the test. Since most network scanners can be operated by anyone with little-to-no experience, the first part of the test can be performed by the company IT team in order to save costs, or the entire testing process can be performed by the security expert. The network will be scanned, either by the IT team or the security expert, in order to determine if there are any known threats or vulnerabilities within the system. If any are found, they may be patched immediately or patched after the complete results of the testing process are revealed. This typically depends on the severity of the vulnerability or threat discovered. Once the network scanning process is complete, it’s time for the security expert to jump in and get his hands dirty. He throws every hack he knows, and uses his skill and knowledge to try to find vulnerabilities that the network scanners didn’t find within the application code or network system. If vulnerabilities are discovered, they are patched immediately, and then redundant testing is performed in order to ensure that the threat is no longer valid, and that all vulnerabilities have been solved. The vulnerability assessment and penetration testing process is the ultimate preemptive weapon against web threats. By utilizing these two powerful process simultaneously, companies can keep a detailed log of the security of the network and applications.