Vulnerability assessment is a method that recognizes and classifies the security bugs in a computer, network, or infrastructure.
Some kind of automated scanning product is used to examine the ports and services on a range of IP addresses. Most of these products can also test for the type of operating system and application software running and the versions, patch levels, user accounts, and services that are also running.
These findings are matched up with associated flaws in the product’s database. The final result is a large collection of reports that present a list of each system’s flaws and corresponding countermeasures to decrease the associated risks. Essentially, the tool states, “Here is a list of your bugs and here is a list of things you need to do to fix them.
The problem with just depending upon this results is that it was generated by an automated tool that has a hard time putting its findings into the proper context of the given environment
For example, many of these tools present an alert of “High” for vulnerabilities that do not have a highly probable threat associated with them. The tools also cannot understand how a small flaw can be used in a large organized attack. Vulnerability analysis is great for recognizing the foundational security issues within an environment, but many times, it takes an ethical hacker to really test and qualify the level of risk specific vulnerabilities pose.