Vulnerability assessment begins with detection of vulnerabilities, threats and errors. Later on, this process consists in ranking those detected vulnerabilities, based on the damage they can potentially cause and the urgency of eliminating them. Tracking down existing vulnerabilities or looking for weaknesses that might cause their appearance in the future is the important part of information risk analysis and it is being done by using software tools. Vulnerability scanning processes are automatic, as opposed to penetration testing.
Vulnerability assessments are typically performed with the following steps:
- Carrying out inventory and recording assets and capacity of resources in a system
- Classification of assets according to their importance for activities
- Identification, documentation and classification of the severity of potential vulnerabilities or threats to each of the resources
- Assistance in minimizing or eliminating the most serious vulnerabilities of the most important assets and resources
Both vulnerability assessment and penetration testing are being done in order to evaluate system security and help companies and individuals protect their data from attacks and hostile environments. It is recommended to run these two testing processes simultaneously. There are various vulnerability assessment tools currently available at the market. The usage of each one of them should be carefully considered. Every tool has its strengths and weaknesses, which is why we are using a variety of tools in order to approach to solving the problem correctly.
METHODOLOGY
The Open Web Application Security Project (OWASP)
OWASP represents an enormous step forward in the area of IT security, testing and data protection. This is a non-profit project and its intention is to inform groups, companies and individuals from all over the world about application security. Everyone is free to join OWASP online community and each user will have the access to all relevant information, articles, tools, researches and methodologies related to web application security.
The usage of OWASP provides us with many different tools. Some of them are suitable for automatic vulnerability scanning (commercial and open source tools), while others are being used for penetration testing (information gathering tools, authentication testing tools, data validation testing tools, web services testing tools, etc.). OWASP Top 10 publishes annual lists of the most common vulnerabilities, most dangerous threats, most critical security risks, and other, and they regularly report about these topics.
Penetration Testing Execution Standard (PTES)
This new standard originates in 2009, back when the discussion about the necessity of penetration testing and the insufficient awareness of this necessity began. The penetration testing execution standard is divided in 7 phases, and it starts with asking and answering questions in order to get to know the system properly. This phase is known as pre-engagement interaction. It is followed by intelligence gathering, which is particularly important because it eases the following phases, and future penetration tests. The third phase is threat modeling and it defines the approach that will later on be used to test potential threats and vulnerabilities. Vulnerability analysis will discover all errors and malfunctions in the system. This vulnerability analysis can vary, depending on threats and vulnerabilities we are facing at this stage. Exploitation identifies ways to attack the system based on prior vulnerability analysis. Post-exploitation is being done in order to maintain the control and protect the system. Reporting is the seventh and final section of penetration testing according to the standard. It should contain the full summary with all important details and insights about the entire testing process.