Vulnerability Assessments are the pre- and post-deployment series of exercises which security teams conduct to ensure that a system is free from known security risks. Following the initial security assessment for a particular build or installation, the party deploying it patches the newly discovered vulnerabilities and the processes is repeated until the system is secure.
Vulnerability assessments are often categorized into host assessments, or costly system-level ones for critical systems, and network assessments of all services to provide a wholesale report of necessary fixes.
Vulnerability assessments differ from penetration testing in different ways. The former are continuous, have comprehensive reports, list known software vulnerabilities, are performed in-house, are inexpensive, and are detective in nature. The latter occur annually, yield succinct reports, reveal new exploitable exposures, are costly, and are preventive.
The term vulnerability assessment is not synonymous with vulnerability management. Vulnerability management practices refer to software vulnerabilities alone. Specifically these actions are recurrent efforts to identify, classify, prioritize, remediate, and mitigate vulnerabilities in software.
“Before we launched our new application to thousands of employees, we did a number of vulnerability assessments to weed out known, addressable defects that could pose a security risk if exploited.”