Vulnerability Assessment I A Complete Guide

July 30, 2021 HackerOne Team

Are you wondering about vulnerability assessments? We give a full explanation of what vulnerability assessments are, how they work, and how they help prevent cyberattacks.

What Is Vulnerability Assessment?

Vulnerability assessments systematically evaluate your system, looking for security weaknesses and vulnerabilities. The assessment provides information to the security team to classify, prioritize, and remediate weaknesses. 

Assessments go beyond what you’d find in a typical vulnerability scan, usually involving a dedicated team or a group of outsourced, ethical hackers to perform the evaluation. 

What Kinds of Threats Do Vulnerability Assessments Find?

A vulnerability assessment can uncover vulnerabilities with varying degrees of severity. It can also confirm that your IT environment complies with industry and government standards. Below are a few common vulnerabilities found during a typical assessment.

  • Easily guessed or brute-forced weak passwords
  • Code injection vulnerabilities that attackers can exploit via SQL injection or XSS attacks
  • Unpatched applications or operating systems
  • Misconfigurations, such as unchanged default settings or vulnerable, open ports

The Four Steps of a Vulnerability Assessment

Define the Scope

Before an assessment can begin, the network’s owner must set the scope to determine what networks, systems, and applications to test. The scope is usually further defined and separated by different domains or subdomains.

The scope can also include exactly how to test vulnerabilities and may specify other parameters. For example, some organizations may state that testing email vulnerabilities cannot include phishing attacks against their staff and must use a specific email address.

Review System Functions

Before running the vulnerability assessment, the security team will review different scope systems and applications. The review phase helps determine how an exploited vulnerability would impact business functions. 

Perform the Vulnerability Scan

Hackers can use various tools and techniques to test a system’s integrity. Testers often start with automated scans that first look for the most common vulnerabilities, including applications, network infrastructure, and host machines.

Testers move forward with a manual testing approach that uses custom code to identify vulnerabilities. Manual coding can be time-consuming, but it is critical in identifying application-specific bugs and zero-day vulnerabilities.

Create the Vulnerability Assessment Report

The assessment report outlines identified scan vulnerabilities and highlights remediation steps. These recommendations are paired with a severity rating, allowing the security team to determine which vulnerabilities they will patch first.

Most vulnerability disclosure reports include the following:

  • Name of the vulnerability and time of discovery
  • The vulnerabilities’ risk score based on CVE databases
  • What systems the vulnerability impacts
  • Proof of concept exploits or a demonstration of how a bad actor could use the vulnerabilities
  • Remediation steps

Types of Vulnerability Assessments

Security teams can target assessments to particular systems or the entire organization. There are four different types of tests:

Network Assessments 

Network assessments target network resources on the public or private network and test the security policies on the network level.

Application Assessments

Application assessments test for vulnerabilities such as cross-site scripting attacks and unsecure cryptographic storage.

Database Assessments

During a database assessment, hackers test for vulnerabilities like SQL injections or misconfigurations. These tests can identify issues such as unsecure testing environments and improper storage of database files.

Host Assessments

Host assessments examine servers on the network for vulnerabilities and exploits, including LDAP injections, privilege escalation, or accounts with weak default credentials.

Vulnerability Assessment Tools

Hackers use a variety of tools to find vulnerabilities in different systems and parts of a network.

OpenVAS 

OpenVAS is a vulnerability scanner that tests internet protocols and includes its internal programming language, allowing testers to customize their assessments further.

Nmap

Nmap is a widely used network mapping tool that discovers open ports, vulnerable services, and the layout of internal networks. Nmap works well in conjunction with other probing tools early in vulnerability assessments.

Burp Suite

Burp Suite provides hackers with automated vulnerability scanning tools for internal and external testing. It is popular among new and veteran hackers because of its comprehensive toolkits.

Nessus

Nessus is open-source software that offers in-depth vulnerability scanning through a subscription-based service. Hackers use Nessus to identify misconfigurations, quickly uncover default passwords, and perform vulnerability assessments.

Vulnerability Assessment vs. Penetration Testing

Vulnerability assessments identify vulnerabilities but do not exploit these flaws. Many vulnerability assessments use a scanning tool that ranks the vulnerabilities allowing security professionals to prioritize the vulnerabilities for remediation.

Penetration testing is a different security testing option starting with a vulnerability scan that uses human testers to exploit vulnerabilities to gain unauthorized system access. 

Organizations use penetration testing to simulate how much damage an attacker could do if they comprehensively exploited vulnerabilities. Vulnerability assessments, typically automated, can complement penetration testing by providing frequent insights between penetration tests.

Bug Bounty vs. Vulnerability Assessment

Bug bounty programs use human testers to hunt for bugs, discover vulnerabilities, and rank their severity. Bug bounties incentivize hackers for successfully discovering and reporting vulnerabilities or bugs and are a way for companies to leverage the hacker community to improve their systems’ security posture over time.

If your goal is more comprehensive vulnerability disclosure and security testing, bug bounty programs are a better choice but don’t rule out vulnerability assessments. 

The two types of testing complement each other. While bug bounties harness hacker-powered security to discover more complex vulnerabilities, vulnerability assessments deliver consistency and convenience allowing security teams to get ahead of focused, time-constrained security testing for major initiatives such as product and feature releases. A combination of these approaches allows security teams to better address all vulnerabilities, improve their security profiles, and minimize exploits.

How HackerOne Can Help

HackerOne Assessments provides on-demand, continuous security testing for your organization. The platform allows you to track progress through the kickoff, discovery, testing, retesting, and remediation phases of an engagement. Whether you’re looking to meet regulatory standards, launch a product, or prove compliance, we’ll help your security teams find and close flaws before cybercriminals exploit them.

HackerOne delivers access to the world’s largest and most diverse community of hackers in the world. Contact us to learn how you can start leveraging hacker-powered security today.

Previous Article
One Month of Learnings from Flo Health’s Bug Bounty Program: A Q&A with CISO, Leo Cunningham
One Month of Learnings from Flo Health’s Bug Bounty Program: A Q&A with CISO, Leo Cunningham

The CISO of Flo Health, the world’s most popular women’s health app, knows that enabling his security team ...

Next Article
What We Can Learn From Recent Ransomware Attacks 
What We Can Learn From Recent Ransomware Attacks 

Earlier this month, software vendor Kaseya made headlines when a vulnerability in its Virtual System Admini...