People often confuse vulnerability assessment with penetration testing . in fact , It's true that the two terms are often used interchangeably , but , There's a big difference between them . To strengthen the company's network risk situation , It's not just about testing vulnerabilities , There's also a need to assess whether the vulnerability can be effectively exploited , And what risks they represent . And enhance the company's resilience to cyber attacks , You need to understand vulnerability assessment 、 The internal link between penetration testing and network risk analysis .
Vulnerability assessment has become the mainstream security practice in today's dynamic threat situation . Exploit vulnerability scanners , Whether it's for the Internet 、 Application or database , It's already standard practice for many large end-user companies . The goal of vulnerability assessment , It's about identifying and quantifying security vulnerabilities in the environment . Existing software scanners can be used to assess the security situation of a company , Identify known security gaps , Suggest appropriate risk mitigation actions —— Or get rid of it , Or at least to an acceptable level of risk .
The vulnerability assessment process usually indexes all the assets of the enterprise , Classify assets based on business value and potential impact , Then identify known vulnerabilities associated with each asset . The last step , It involves key vulnerability mitigation operations against assets with the highest potential business impact . The more problems you find, the better .
However ,“ real ” In the process of vulnerability management , Focus on known vulnerabilities discovered by vulnerability scanners , It's just the first step of the long march . If we don't put vulnerability into exploitation environment , Repair resources are often misplaced . To better prioritize mitigation actions , It's best to determine whether a particular vulnerability is exploitable or not . Without this step , It's not just a waste of money , what's more , Will give hackers a longer window time and opportunity to exploit high-risk vulnerabilities . Last , Our goal is , Shorten the window time for attackers to exploit software defects .
Better remember ： Vulnerability scanners submit results based on known vulnerability lists , It means that these vulnerabilities have long been exploited by security professionals 、 Cyber attackers and the business community are familiar with . Unfortunately , There are not only known vulnerabilities in the world , There are also many unknown loopholes in the wild , And scanners don't find them .
In addition to considering the internal security intelligence of the enterprise in the external threat data environment , More and more companies are conducting penetration testing to determine the availability of vulnerabilities . Penetration testing is performed by ethical hackers , Simulate malicious external / The behavior of an internal network attacker . The goal of penetration testing , It's exposing the safety gap , Then analyze the risk of these gaps , Determine what kind of information will be leaked once this vulnerability is exploited . Penetration test results usually contain the severity of the vulnerability 、 Availability and related mitigation actions . Ethical hackers usually use automated tools , such as Metasploit etc. , Others even write their own exploit kits .
To spell out the loophole puzzle , Companies need to conduct a comprehensive risk analysis , Take all the factors into account , For example, asset criticality 、 Loophole 、 External threats 、 Accessibility 、 Availability and business impact, etc .
Last , Vulnerability assessment 、 Penetration testing and network risk analysis must work together to reduce network security risks .