The term vulnerability assessment applies to all vulnerability analysis activities that result in evaluating the impact and importance of a security vulnerability in an IT system. Based on vulnerability assessment, businesses can prioritize mitigation and remediation. Vulnerability assessment is an integral step of vulnerability management and is either performed automatically by vulnerability scanning software or manually during penetration testing.
Vulnerability assessment is essential for improving security posture because most organizations find more cybersecurity vulnerabilities than they can resolve immediately. This means they need to prioritize issues to decide which vulnerabilities need to be addressed as soon as possible and which can wait.
As with vulnerability management, vulnerability assessment is not limited to specific types of vulnerabilities or classes of security issues. It can apply equally well to network security and web application security. For web application security assessments, the process usually includes not just vulnerabilities but also issues such as web server and host operating system misconfigurations. Sometimes, vulnerability assessment is considered a part of more general information technology risk assessment and the risk management ecosystem.
Vulnerability assessments can be based on several different metrics. Here are the most common assessment criteria, though organizations may use additional ones based on their specific needs:
Vulnerability assessment is rarely a standalone feature and is typically included in the functionality of security tools. Here are the three most common cases:
The level of automation and integration of a vulnerability assessment process greatly depends on the software solutions selected by the business for security testing. Here are three examples of such processes.
Vulnerability assessment means all vulnerability analysis activities that result in evaluating the impact and importance of a security vulnerability in an IT system. Based on vulnerability assessment, businesses can prioritize mitigation and remediation.
Vulnerability assessment is an integral step of vulnerability management and is either performed automatically by vulnerability scanning software or manually during penetration testing.
Vulnerability assessment should incorporate many aspects of the security risk posed by a vulnerability, such as its severity, ease of exploitation, availability of exploits, target importance, business impact, escalation potential, ease of access, and more. Based on such metrics, vulnerabilities can be classified into groups corresponding to remediation priorities, such as critical, important, medium importance, low importance, best-practice, and others.
Find out how Invicti classifies vulnerabilities into severity levels.