Vulnerability Assessment is also known as Vulnerability Testing, is a software testing type
performed to evaluate the security risks in the software system in order to reduce the
probability of a threat.
A vulnerability is any mistakes or weakness in the system security procedures, design,
implementation or any internal control that may result in the violation of the system’s security
policy. In other words, the possibility for intruders (hackers) to get unauthorized access.
Vulnerability Analysis depends upon two mechanisms namely Vulnerability Assessment and
Why do Vulnerability Assessment
It is important for the security of the organization.
The process of locating and reporting the vulnerabilities, which provide a way to detect
and resolve security problems by ranking the vulnerabilities before someone or
something can exploit them.
In this process Operating systems, Application Software and Network are scanned in
order to identify the occurrence of vulnerabilities, which include inappropriate software
design, insecure authentication, etc.
Vulnerability Assessment and Penetration Testing (VAPT) Process
1. Goals& Objectives: – Defines goals and objectives of Vulnerability Analysis
2. Scope: – While performing the Assessment and Test, Scope of the Assignment
needs to be clearly defined.
The following are the three possible scopes exist:
Black Box Testing: – Testing from an external network with no prior knowledge of
the internal network and systems.
Grey Box Testing: – Testing from either external or internal networks, with the
knowledge of the internal network and system. It’s the combination of both Black
Box Testing and White Box Testing.
White Box Testing: – Testing within the internal network with the knowledge of the
internal network and system. Also known as Internal Testing.
3. Information Gathering: – Obtaining as much information about IT environment such
as Networks, IP Address, Operating System Version, etc. It’s applicable to all the three
types of Scopes such as Black Box Testing, Grey Box Testing, and White Box Testing
4. Vulnerability Detection: -In this process, vulnerability scanners are used, it will scan
the IT environment and will identify the vulnerabilities.
5. Information Analysis and Planning: – It will analyze the identified vulnerabilities, to
devise a plan for penetrating into the network and systems.
How to do Vulnerability Testing:-
Following is the step by step Vulnerability Assessment Methodology/ Technique
Step 1) Setup:
Step 2) Test Execution:
Run the Tools
Run the captured data packet (A packet is the unit of data that is routed between an
origin and the destination. When any file, for example, e-mail message, HTML file,
Uniform Resource Locator(URL) request, etc. is sent from one place to another on the
internet, the TCP layer of TCP/IP divides the file into a number of “chunks” for efficient
routing, and each of these chunks will be uniquely numbered and will include the
Internet address of the destination. These chunks are called packet. When they have all
arrived, they will be reassembled into the original file by the TCP layer at the receiving
end. , while running the assessment tools
Step 3) Vulnerability Analysis:
Defining and classifying network or System resources.
Assigning priority to the resource( Ex: – High, Medium, Low)
Identifying potential threats to each resource.
Developing a strategy to deal with the most prioritize problems first.
Defining and implementing ways to minimize the consequences if an attack occurs.
Step 4) Reporting
Step 5) Remediation:
The process of fixing the vulnerabilities.
For every vulnerability