Vulnerability Assessment

A vulnerability assessment is an in-depth audit of a software system to identify security vulnerabilities. It is a specialized form of risk analysis. Typically, a security professional performs a vulnerability assessment by first assessing the health of the system as a whole, then identifying areas of vulnerability, and finally providing a strategy to minimize vulnerabilities.

An important part of a vulnerability assessment is ranking or quantifying the areas of vulnerability in terms of both the likelihood of exploitation and the impact of exploitation. Some vulnerabilities may be easy to exploit, but carry low impact. Others may be quite difficult to exploit but carry high impact to an organization or business if exploited. Still others may be both easy to exploit and carry a severe impact. A good security professional will rank vulnerabilities according to risk and recommend a targeted approach to mitigating the most serious vulnerabilities.

A vulnerability assessment differs from an application penetration test in approach and focus. A vulnerability assessment is more holistic in that it audits the overall health of a system while a penetration test is focused on finding specific points where a hacker could exploit vulnerabilities. Both a vulnerability assessment and a penetration test are critical to ensuring the security of a website or web application.