What is vulnerability assessment and what is its main difference with penetration testing?
Vulnerabilities are potential security weaknesses in information systems. Moreover, it is an attribute of security risks and may cause risk to materialize if combined with security threats. The purpose of vulnerability assessment is to proactively assess possible security gaps in an organization. This will help organizations to identify weaknesses and fix them before the bad guys identify and exploit them.
Vulnerability assessment should be conducted in an ongoing basis and are crucial component of risk assessment and management. Information systems such as workstations, servers, routers, firewalls, people may be the source vulnerabilities and thus assessments should consider all entities of an organization. Risk is the intersection of vulnerability and threat. Therefore, if there are more vulnerabilities, there is high probability that these weaknesses will be exploited to pose security threats and risks.
Vulnerability assessment plays crucial role in unearthing weaknesses in information systems. And it should be combined with other techniques such as penetration testing to get better result. Moreover, the difference between vulnerability assessment and penetration testing is that unlike vulnerability penetration testing goes one step further and exploit the identified vulnerabilities. But in vulnerability assessment, the weakness are identified and reported but no exploitation.