Vulnerability assessments look for known weaknesses and security flaws in a variety of systems. This includes servers and workstations, desktops, laptops, mobile devices, firewalls, routers and cloud-based environments. Since a vulnerability scan may produce thousands of results, third-party security experts can help you prioritize what to patch first. They can also help you identify where you need to upgrade, update, or install new hardware, software, or other solutions. By contrast, penetration testing, also known as pentesting, is used to see how attackers actually use these vulnerabilities to get into your network, how far they can move within the network once they’re in and what information and data they can find and exfiltrate.

One of the most common vulnerabilities that can lead to security incidents is security patching . Some of the biggest data breaches of the 21st century show that known vulnerabilities played a role in many of them. For example, SQL injections are a dangerous web application security vulnerability that enable attackers to use application code to access or corrupt database content. Attackers can add, delete, or read content in a database, read source code from files in a database server, and write files to the database server. Overall, web application security vulnerabilities are largely due to coding and configuration errors. Development teams can often identify vulnerabilities in the development phase by conducting code audits from start to finish, but this step is often overlooked, and vulnerabilities can be hard to spot.

• Cross-site Scripting – Cross-Site Scripting is a malicious attack that tricks a web browser into performing undesired actions that appear as though an authorized user is doing them.
• Buffer Overflow – Buffer Overflows occur when there is more data in a buffer than it can handle, causing data to overflow into adjacent storage.
• Cross-site Request Forgery – Cross-Site Request Forgery (CSRF) is another malicious attack that tricks web browsers into doing things that appear as if an authorized user is performing those actions.
• CRLF Injection – CRLF Injection attacks refer to the special character elements “Carriage Return” and “Line Feed.” Exploits occur when an attacker can inject a CRLF sequence into an HTTP stream.

Vulnerability assessments offer a number of key benefits:

• Find Known Security Issues - The primary goal of conducting regular vulnerability assessments is to find known security issues before attackers do, and to plan accordingly.
• Inventory Your Devices and their Vulnerabilities - Vulnerability assessments will help you develop a comprehensive inventory of all the devices on your network, along with vulnerabilities associated with each device. This inventory can help you better plan your budget for new and upgraded equipment, devices and security solutions.
• Establish a Baseline - They can help you establish a baseline for your organization to measure progress over time and optimize your existing security benefits based on your risk levels. Conducting self-assessments can provide a more complete picture of how security is managed and improved over time.

While penetration tests should be conducted annually, vulnerability scans and assessments should be conducted at least monthly. This schedule can depend on many factors, such as your industry, the type of data you handle, your risk tolerance, business needs, and compliance requirements like the Health Insurance Portability and Accountability Act (HIPAA/HITECH), Payment Card Industry Data Security Standards (PCI-DSS) and the Gramm-Leach-Bliley Act (GLBA). In both cases, independent and objective experts like those at Motorola Solutions can help you get the most from these assessments. Identify weak points with our range of pentesting services.