In previous blog post we understood about what is vulnerability and what is exploit. In this blog post we will look at why any organization should go for vulnerability assessment? And what is the major difference between Penetration Testing and Vulnerability assessment. We will take a look at ISO 27001 requirement for vulnerability assessment.
Why Vulnerability Assessment?
Organizations are using information technology to make their work fast, efficient and manageable but it is also observed that they do not take care about information security which many times lead in negative impact. Organizations give access to internet along with intranet which can tend to steal data. It is important that an organization should have vulnerability assessment policy and it is implemented properly.
As per the ISO 27001 standard one should look for following vulnerability
- Access control error — Lack of enforcement
- Authentication error – inadequate identification mechanisms
- Boundary error – inadequate checking/validating mechanisms
- Configuration error – improper configuration
- Exception handling error – improper setup or coding
- Input validation error – lack of verification mechanisms
- Randomization error – mismatch in random data
- Resource error – lack of resources
- State error — incorrect process flow
All above mentioned vulnerability are of any application but as I mentioned earlier application is not the limiting factor one should check for physical security as well.
Vulnerability Assessment Vs. Penetration Testing
Majority people feel that Vulnerability Assessment and Penetration Testing both is one and the same thing, but in fact both are different things. Vulnerability assessment is limited to finding and classifying the threats/risks. While as Penetration Testing goes beyond that and it will try to exploit the vulnerability.
Sample Vulnerability Assessment Report file can be downloaded from