How can your organization stay ahead of malicious actors, uncovering vulnerabilities before they do?
Vulnerability assessments—as part of your company’s vulnerability management strategy—are an essential step. Through a vulnerability assessment, your organization can find critical vulnerabilities and keep your assets safe. But it is not always clear where to start with such assessments. Accordingly, this blogpost provides a comprehensive checklist for performing vulnerability assessments; in addition, it addresses both organizations and security testers. Our goal is to help you keep your security posture up, so that malicious attacks are kept at bay.
Vulnerability Assessment vs Penetration Test
But first: what’s the difference between vulnerability assessment and penetration testing (pentest)?
A vulnerability assessment and a penetration test (pentest) are both crucial in identifying weaknesses in a system, but they differ significantly in their approach and objectives.
As part of an organization’s proactive security strategy, vulnerability assessment is a comprehensive evaluation of a system to identify, and prioritize vulnerabilities. It is generally automated, using vulnerability scanning tools to scan for known vulnerabilities, and provides a broad overview of potential security weaknesses.
In contrast, penetration testing is a more targeted adversarial security approach. It simulates a real-world attack to exploit security weaknesses in a system, assessing the effectiveness of security measures and the potential impact of a breach.
While vulnerability assessments offer a wide-ranging view of potential security issues, pentests provide a deeper, more practical insight into how an attacker could exploit these vulnerabilities, often involving a combination of manual and automated techniques.
The Vulnerability Assessment Checklist
The vulnerability assessment checklist can be broken up to three sections, representing the typical lifecycle of a vulnerability assessment: pre-assessment, assessment, and post-assessment.
1) Create an asset inventory
Creating an asset inventory is a crucial step in identifying potential security risks and vulnerabilities that a company might face. Assets could include:
- Enterprise servers
- Employee workstations
- IP and port ranges
- Internet of Things (IoT) devices
- Network infrastructure
- Web, mobile, desktop, or browser extension applications
- DevOps workflows
However, it is not always straightforward to identify all the assets of an organization, especially if it is a large enterprise with a broad attack surface. Shadow IT, for instance, could make some assets challenging to uncover.
Circumventing these limitations, attack surface discovery tools are an automated option for asset discovery, finding many of the asset types listed above in real-time.
2) Set the scope
Limited in duration and resources, vulnerability assessments must be concise. Therefore, setting an assessment scope is crucial: it dictates to security testers what features to prioritize and which assets to test.
A scope varies depending on an organization’s compliance requirements and threat model. A hospital that must maintain HIPAA compliance, for example, would prioritize systems that store medical data. Likewise, a software company that builds a password manager would include its web and mobile applications in scope, focusing on user password confidentiality. Which of the assets are in scope depends on an organization’s security goals.
3) Choose the methodology
A set methodology is also necessary for a vulnerability assessment. It shall determine the following:
- Automated tools: this varies per asset; if the scope includes a web application, the assessment’s methodology would include a web application scanner
- Type of testing: the testing types are white-box (source-code and documentation are provided to testers), black-box (no source-code or documentation), or gray-box (a combination of both); determining the type of testing is essential when hiring external security testers
- Vulnerability classes to uncover: an organization may prioritize some vulnerability classes over others depending on the scope; for instance, a software company that develops a password manager would prioritize vulnerabilities that compromise password confidentiality
4) Prepare the testing environment or scope items
Before starting a vulnerability assessment, a company may need to prepare the scope items or testing environment. Indeed, looking for vulnerabilities in production could lead to unintended consequences such as downtime or data leakage. Testers typically need:
- Source-code (in the case of white-box or gray-box testing)
- Website URLs
- VPN access
- Test credentials
- IP and port ranges
1) Run automated tools
The initial step of a vulnerability assessment is running automated tools. The tools are selected in the methodology (pre-assessment) and are related to the assets in scope. Additionally, fingerprinting or reconnaissance (recon) tools are necessary in black-box or gray-box testing, where testers have limited visibility.
After some time, scanners produce a report with their results. The report would include the discovered vulnerabilities, their evidence, and their corresponding severities. It is worth noting that automated tools are prone to false positives; therefore, testers must manually verify scanner results before continuing their assessment.
2) Manual security review
The second step is manual security review. Penetration testing and other active security validation processes are often still conducted manually due to their complexity and potential disruption to systems. Some security issues are challenging to find with automation, such as race conditions, logic bugs, or access control gaps. This is especially the case for testing applications, where context is required for interacting with features. Furthermore, some scanner results could require additional review—such as a cryptographic issue whose impact is unclear.
Each asset type comes with its vulnerability classes. Web applications, for example, are usually vulnerable to OWASP’s Top 10 Web Application Security Risks:
- Broken Access Control
- Cryptographic Failures
- Insecure Design
- … (see more on OWASP’s list)
As such, a tester would try to identify common vulnerabilities unique to each asset type. Additionally, manual security review can be complemented by source code review in the case of white-box testing. This helps in identifying security flaws that may be hard to detect otherwise.
3) Gather evidence
Along the way, testers gather evidence of the vulnerabilities they verified. The evidence can come in the form of screenshots, proof-of-concept scripts, steps to reproduce instructions, or vulnerable source-code snippets. By documenting this evidence, testers can provide a clear picture of the identified vulnerabilities and help the development team understand the risks associated with them.
4) Determine the severity of findings
To prioritize the mitigation of findings, each vulnerability should be assigned a severity—low, medium, high, or critical. The Common Vulnerability Scoring System (CVSS) is a popular severity scoring tool. However, severity can vary depending on the organization’s threat model and the application’s context. It also does not cover risks such as misconfigurations, which are very common and often more dangerous.
Consider a scenario where a company’s marketing blog has a cross-site scripting (XSS) vulnerability. If the XSS provides access to user sessions, the XSS could be classified as medium severity or higher, depending on the sensitivity of the actions or data. However, if the marketing blog is on a different subdomain and has no access to user sessions, the severity could be classified as low. In other words, context changes severity.
1) Write a report
After completing their assessment, testers create a detailed report for the company and stakeholders. The report should include an executive summary and details on each discovered vulnerability:
- Evidence of the vulnerability
- Severity of the vulnerability
- Summary of the vulnerability, mentioning the business risk
- Steps to reproduce the vulnerability
- And a fix recommendation to mitigate the issue
Moreover, the report should address the company’s security posture:
- Were the company’s assets sufficiently secure?
- Has the company’s security posture improved since the last assessment was conducted?
- Were there any repeated security weaknesses?
A comprehensive report helps the company understand its security risks and take appropriate measures to mitigate them.
2) Mitigate vulnerabilities
After identifying vulnerabilities in the assessment, the next step is mitigation. The company must assign the fixes to the appropriate developers or specialists. For example, a firewall misconfiguration could be assigned to the system administrators or the IT team. It is also important to prioritize the vulnerabilities based on their severity. Higher severity vulnerabilities should be addressed first.
[A screenshot of a GitHub pull request entitled, “Patch XSS in api.example.net/v1/storage/greet”. It includes a code snippet that escapes the user input to mitigate the vulnerability.]
Once patched, a vulnerability must be retested. Retesting ensures that a fix is sufficient and cannot be circumvented.
3) Learn from the assessment
Lastly, the assessment serves as a learning lesson. Some vulnerabilities could indicate organizational issues, such as broken security processes or insufficient policies. Code-related issues may show gaps in a DevOps process—for example, inadequate static analysis or code review. Remediation isn’t simply code in, code out. Processes, workflows, and policies may need revision.
Potential threats are everywhere in the modern digital landscape, making vulnerability assessments indispensable for any forward-thinking organization. By understanding their infrastructure’s weaknesses, companies can take proactive measures, ensuring they remain one step ahead of potential cyber adversaries. Our vulnerability assessment checklist serves as a comprehensive guide to finding those weaknesses: it covers everything from how to prepare for an assessment to what comes after.
Still, there is more that can help.
Tools such as IONIX’s comprehensive attack surface management solution can simplify the vulnerability assessment process, giving you a better view of your attack surface. IONIX further provides a full range of security options, including:
- Attack Surface Discovery: See your real attack surface from an attacker’s point of view.
- Risk Assessment: Continuously monitor your complete attack surface with multi-layered risk assessment to identify threats before they’re exploited by attackers.
- Risk Prioritization: Prioritize risk with multi-layer context so you can stay focused on the most urgent and exploitable risks.
- Risk Remediation: Automate the mitigation of the most exploitable risks to protect your organization against the most critical threats.