It will be great to understand the following terminologies before digging into Vulnerability Assessment “VA” as it is often called;
A flaw or weakness in system security procedures, design, implementation, or internal controls that may result in a security breach or a violation of the system’s security policy.
Measures taken to prevent, detect, minimize, or eliminate risk, to protect the Integrity Confidentiality, and Availability of information.
Vulnerability assessment is the process of identifying, quantifying, and prioritising (or ranking) the loopholes in a system.
Why do VA? Vulnerability Assessment is done for the following purposes:
- Network auditing
- Provide direction for security controls.
- Can help justify resource expenditure
- Can provide greater insight into process and architecture compliance checking
- Continuous monitoring
I think I should quickly leave you with this;
The Common Vulnerabilities and Exposures (CVE) http://cve.mitre.org and some other tools will provide CVE numbers that can be used to look up additional vulnerability information from trusted sources US-CERT Vulnerability Notes Database: http://www.kb.cert.org/vuls/ National Vulnerability Database: http://nvd.nist.gov etc.
Oh!!, I almost forgot to tell you about the fix.
Vulnerability remediation is the process of fixing vulnerabilities. Pick the issues you want to fix because you may not have enough resources to fix them all at a particular point in time.
For every vulnerability there are three choices for remediation:
Fix – eliminate vulnerability all-together.
Accept – the cost of fixing outweighs the risk
Mitigate – don’t outright fix but use additional layers of security to lessen the risk presented by the vulnerability. I hope this has helped to educate you a little.
Don’t forget to drop your comments below. Let me drop this pen now and go test some apps.