Tuesday, May 24, 2022

Don’t confuse a vulnerability assessment with a penetration test: Vendor

Infosec pros often find vulnerabilities during a penetration test, but that isn’t a vulnerability assessment. The two shouldn’t be confused, says Torsten George, vice president of marketing and product management at cyber risk management software vendor RiskSense.

Unfortunately, George says in a column published this week, many think they are the same.

“To strengthen an organization’s cyber risk posture, it is essential to not only test for vulnerabilities, but also assess whether vulnerabilities are actually exploitable and what risks they represent.” A penetration test is one facet of a vulnerability assessment, to be used to determine if a vulnerability can be exploited.

Although you can hire a third-party to do a vulnerability assessment of networks, applications and databases, the SANS Institute offers a whitepaper on how an organization can do one itself. As with any security practice, to make it effective the assessment  has to have a strong foundation of policies and procedure, the paper emphasizes, including change and issues management.

George also warns that focusing on existing vulnerabilities is only the first step in a useful vulnerability management process. Infosec teams have to determine whether each vulnerability is actually exploitable. “Skipping this step is not only a waste of money, but more importantly creates a longer window of opportunity for hackers to exploit high risk vulnerabilities,” he writes. “Ultimately, the goal is to shorten the window attackers have to exploit a software flaw.”

SANS also advises the vulnerability assessment process has to be regularly conducted to really minimize the overall risk.

Finally, remember there’s a third element to a well-rounded security strategy: A cyber risk assessment, George points out, takes into account all the contributing factors including asset criticality, vulnerabilities, external threats, reachability, exploitability, and business impact.

Risk assessment, vulnerability assessment and penetration testing make a potent trio.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.