A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed.
Examples of threats that can be prevented by vulnerability assessment include:
- SQL injection, XSS and other code injection attacks.
- Escalation of privileges due to faulty authentication mechanisms.
- Insecure defaults – software that ships with insecure settings, such as a guessable admin passwords.
There are several types of vulnerability assessments. These include:
- Host assessment – The assessment of critical servers, which may be vulnerable to attacks if not adequately tested or not generated from a tested machine image.
- Network and wireless assessment – The assessment of policies and practices to prevent unauthorized access to private or public networks and network-accessible resources.
- Database assessment – The assessment of databases or big data systems for vulnerabilities and misconfigurations, identifying rogue databases or insecure dev/test environments, and classifying sensitive data across an organization’s infrastructure.
- Application scans – The identifying of security vulnerabilities in web applications and their source code by automated scans on the front-end or static/dynamic analysis of source code.
Vulnerability assessment: Security scanning process
The security scanning process consists of four steps: testing, analysis, assessment and remediation.
Vulnerability identification (testing)
The objective of this step is to draft a comprehensive list of an application’s vulnerabilities. Security analysts test the security health of applications, servers or other systems by scanning them with automated tools, or testing and evaluating them manually. Analysts also rely on vulnerability databases, vendor vulnerability announcements, asset management systems and threat intelligence feeds to identify security weaknesses.
The objective of this step is to identify the source and root cause of the vulnerabilities identified in step one.
It involves the identification of system components responsible for each vulnerability, and the root cause of the vulnerability. For example, the root cause of a vulnerability could be an old version of an open source library. This provides a clear path for remediation – upgrading the library.
The objective of this step is the prioritizing of vulnerabilities. It involves security analysts assigning a rank or severity score to each vulnerability, based on such factors as:
- Which systems are affected.
- What data is at risk.
- Which business functions are at risk.
- Ease of attack or compromise.
- Severity of an attack.
- Potential damage as a result of the vulnerability.
The objective of this step is the closing of security gaps. It’s typically a joint effort by security staff, development and operations teams, who determine the most effective path for remediation or mitigation of each vulnerability.
Specific remediation steps might include:
- Introduction of new security procedures, measures or tools.
- The updating of operational or configuration changes.
- Development and implementation of a vulnerability patch.
Complete Security Vulnerability Assessment Checklist
Before The Assessment
A vulnerability assessment is the process that identifies and assigns severity levels to security vulnerabilities in web applications that a malicious actor can potentially exploit. The assessment is conducted manually and augmented by commercial or open source scanning tools to guarantee maximum coverage. This essential checklist is your playbook when it comes to comprehensively testing a web application for security flaws.
- Conduct test preparation meetings. Present a demo of the application, establish the scope of the upcoming penetration test, and discuss test environment setup.
- Construct a threat model. Target specific areas to identify the maximum number of high-severity vulnerabilities within the allotted time frame.
- Carry out developer interviews. Obtain in-depth knowledge of the application.
- Verify test environment details. Confirm the URLs, VPN access, credentials, etc.
Automated Dynamic Scanning
- Choose automated scanning method. Select an appropriate commercial or open source security scanning tool, depending on the application framework, that ensures maximum coverage (e.g., Burp Suite Pro, IBM Rational AppScan, HP Fortify On Demand, etc.).
- Scan the application. Reveal many common security vulnerabilities with this form of testing.
- Conduct injection and XSS testing. Check for the presence of injection flaws like SQL, JSON, XML, and LDAP injections. Test for cross-site scripting (XSS) through all input points for the application. Determine whether forms are submitted securely, without tamper.
- Administer authentication and authorization tests. Inspect for inadequate authentication methods, improper access control definitions, and broken login processes.
- Audit session management. Review for secure session IDs/cookies. Search for instances of cross-site request forgery (CSRF).
- Investigate sensitive information exposure. Confirm that no sensitive information is revealed due to improper storage of NPI data, broken error handling, insecure direct object references, and comments in source code.
- Examine secure configuration. Guarantee that security configurations aren’t defined and deployed with default settings.
- Run transport layer security testing. Ensure that there aren’t any broken encryption algorithms and that ciphers are used to secure the communication channels.
- Carry out application spidering. Explore the application for unconventional ways to bypass security controls.
- Triage results. Verify scan results manually to separate true positives from false positives.
- Collect evidence. Take appropriate screenshots, or otherwise record the steps, to reproduce an exploit and accurately create a proof of concept.
- Complete report writing. Use a standard template to create a report of all the findings per their risk rating.
- Conduct stakeholder communication. Allow testers to help various stakeholders to understand and justify the risk associated with each of the findings.