The Plain English Version
Vulnerability assessment is the process of finding security weaknesses in your systems before attackers do. It involves scanning your networks, applications, and devices to identify known vulnerabilities that could be exploited.
Think of it as a health check for your IT systems - finding problems before they become emergencies.
Vulnerability Assessment vs Penetration Testing
Vulnerability Assessment: Automated scanning to identify known weaknesses. Broad coverage, relatively quick and affordable.
Penetration Testing: Human testers actively trying to exploit vulnerabilities. Deeper but more expensive and focused.
Most organisations need both - regular vulnerability assessments with periodic penetration tests.
What Gets Scanned
- Network infrastructure - Routers, firewalls, switches
- Servers and workstations - Operating systems and installed software
- Web applications - Custom applications and websites
- Cloud environments - AWS, Azure, Google Cloud configurations
- Databases - Database servers and configurations
The Assessment Process
Scanners compare your systems against databases of known vulnerabilities (CVEs). Results are typically prioritised by severity - critical, high, medium, low - based on how easy they are to exploit and potential impact.
The real work comes after scanning: triaging findings, separating false positives from real issues, and prioritising remediation based on risk.
Common Findings
Missing patches are the most common vulnerability. Others include default credentials, unnecessary services running, weak encryption, misconfigured permissions, and outdated software versions.
Making It Continuous
Annual assessments are not enough - new vulnerabilities are discovered daily. Modern approaches include continuous scanning, integration with patch management, and automated alerting for critical issues.