What is vulnerability assessment
-
A typical business application consists of websites, webservers, network, cloud services, application code (which can includes frameworks, libraries etc), database servers and possbily more. Though the application can provide excellent functionality to its end users, it can contain security issues/weaknesses. These security issues (also called vulnerabilities) are exploited by bad actors (such as hackers) to steal users data handled by the business.
A systematic approach to identify, prioritize and report these security issues in each of the layers of the application (such as website, webservers etc) is called vulnerability assessment.
Without vulnerability assessment, businesses risk facing following isues:
- Loss of their user trust
- Denial of service
- Monetary loss
- Interruption to business continuity
- Potentially bad publicity
Vulnerabilities increases attack surface, making it easy for hackers to exploit the system.
Few examples of vulnerabilities:
-
- SQL Injection flaw in a website
- Exposed credentials in source code
- Unrestricted open ports in a network firewall
- Exposed actuator endpoints in a Spring-boot application
How is vulnerability assessment done:
Plan
- Identify the target systems to be assessed. This could be your website, network or physical servers you want assessed.
Perform - Manual and Automated techniques
-
Manual - Check for weak passwords, systems running older/obsolete software, unpatched systems etc.
Automated - Running open-source or commercial software against your target systems to find security weaknesses.
You have to use more than one software to run automated vulnerability assessment. For instance, OWASP's ZAP for websites, Nikto for webserver and nmap for networks. You need to have necessary skills to run these tools. Also, depending on the scope of your targets, the tests take considerable time.
Deepdefence makes vulnerability testing easy for you. If you are a techie, you could use our Docker based solution (named Deepscan) which is free to use for individuals. Our Deepscan software contains everything you need to run vulnerability assessment of your website, network, cloud environment and more. The link to download is available on our website.
Deepdefence also offers vulnerability assessment as a service. Contact us for more details.
-
Prioritize
-
The test results reported by the automated tools could contain false positives as well which you need to manually verify for accuracy. The tools often prioritize the security issues, in the report. If not, you have to prioritize them into categories such as 'Critical', 'High', 'Medium' and 'Low'.
Report & Repeat
You need to report your findings to your engineering team to fix, who may fix based on order of severity of the issues. This could include fixing a piece of code, closing a firewall port or applying a security patch to a host machine.
After fixes, you need to repeat the assessment exercise to ensure vulnerabilities are resolved. Software and applications are constantly improved/updated and so does new threats are regularly identified. This mandates vulnerability assessment to be carried out periodically, and not to be seen as a one time activity.
If you need help with vulnerability assessment of your software, DeepDefence can help you. Drop us a message now!! We offer a free security assessment to new customers.