Protecting IT infrastructure, applications, and data requires that you understand security weaknesses attackers can exploit. Conducting a vulnerability assessment is essential to gaining that understanding. To get a clearer picture of this essential security practice, we’ll look at its different types, how the practice is changing, and how vulnerability assessment tools fit into your overall approach to managing application security.
What is vulnerability assessment?
Vulnerability assessment is the process of identifying, quantifying, and prioritizing the cybersecurity vulnerabilities in a given IT system. The goal of an assessment is to locate weaknesses that can be exploited to compromise systems. Examples of such weaknesses are errors in application code, misconfigured network devices, overly permissive access controls in a database, or arbitrary code execution as detected recently with Log4Shell. Vulnerability assessment is an established area of security.
In all, there are seven types of vulnerability assessments, each with its own focus and methods:
- Application analysis has two types: static and dynamic. Static analysis of application code finds specific points in software that a hacker can exploit, such as SQL injection attacks. Dynamic analysis determines if vulnerabilities exist based on the way the application is configured.
- Network analysis looks for weaknesses within a network’s configurations and policies that would allow network access to unauthorized users. This is done with the help of vulnerability assessment tools, such as a network scanner that’s been configured for a specific set of IP address ranges. NMAP is an example of a well-known open-source network scanner.
- Host analysis focuses on operating systems, virtual machines, and containers to understand if there are software components with known vulnerabilities that can be patched. These can include the configuration of operating system access controls and the use of unnecessary libraries or system services.
- Database analysis determines if the database complies with configuration standards and security best practices (for example, strong passwords) to avoid data exfiltration, and whether the database itself (such as Oracle) contains known vulnerabilities.
- Cloud infrastructure analysis ensures the secure configuration of cloud infrastructure including virtual machines, containers, cloud-hosted databases, and serverless services. This also determines if identity management and access control policies are in place.
- Secret management analysis detects whether usernames, passwords, encryption keys, or other necessary secret data are exposed in scripts or available in source code repositories.
- API analysis examines vulnerabilities exposed in APIs, the method modern applications use to transfer data between endpoints and cloud-based applications. The Open Web Application Security Project (OWASP) is a nonprofit foundation that lists the top 10 API vulnerabilities.
A common phrase you might hear alongside “vulnerability assessment” is “risk assessment”. Vulnerability assessment spots weaknesses that could be exploited, whereas risk assessment identifies the likelihood that each vulnerability could be exploited and the business impact if such an exploit were to occur.
How does vulnerability assessment work?
- Identify vulnerabilities. The first step of a vulnerability assessment is to identify your vulnerabilities. This is done by scanning targets such as application code, network infrastructure, or virtual machines. Different types of targets require different techniques for identification. That said, vulnerability databases such as CVE, help identify known vulnerabilities.
- Analyze findings. The next step is to analyze your findings. During analysis, you can determine the cause of vulnerabilities. For example, there could be a vulnerability in an operating system utility, or in a custom application that one of your developers wrote, or there could even be a vulnerability because someone configured a system incorrectly.
- Assess risk. The next step is risk assessment. The potential business impact of each vulnerability depends on several factors including the systems affected, the business processes impacted, and the potential damage if the vulnerability were to be exploited. It’s not uncommon for organizations to accept the risk of vulnerabilities that would have little material impact on the business. However, organizations should always address high-risk vulnerabilities.
- Remediation. The final phase is remediation. This is where organizations take action to reduce the risk of high-priority vulnerabilities being exploited. Some possible actions include:
- Upgrading and patching software vulnerabilities
- Implementing additional security controls, known as compensating controls
- Changing system configurations
- Reducing or eliminating the use of vulnerable software that cannot be patched
How is the field of vulnerability assessment changing?
The world is changing fast. Organizations are moving to the cloud, building cloud-native applications that heavily leverage open-source software, and adopting new practices such as Agile and DevOps to deliver applications more rapidly.
As a result, some of the traditional approaches to vulnerability assessment are no longer working as well as security practitioners would like. For example, with continuous integration and continuous deployment (CI/CD), the software changes frequently and automatically, and there’s often not enough time to perform traditional software vulnerability tests. When we recently surveyed 700 CISOs around the world, 63% told us their accelerated pace of software production and delivery have made it more difficult to detect and manage software vulnerabilities.
As a result of these transformations, organizations are re-evaluating their approach to vulnerability assessments and application security as a whole.
A better approach to managing vulnerability assessments and application security
Vulnerability assessment is the first step in the larger process of vulnerability management, which has the goal of reducing your attack surface to make it harder for an attacker to compromise your IT assets.
Some existing vulnerability assessment tools focus on application vulnerabilities, while others focus on host vulnerabilities, cloud infrastructure vulnerabilities, or device vulnerabilities. Most traditional assessment tools aren’t well suited for cloud applications. Those that scan source code will frequently produce false positives, while those that are traditional runtime products have a difficult time seeing application-layer vulnerabilities inside containers.
Dynatrace’s Application Security Module includes runtime vulnerability detection as part of its Software Intelligence Platform. Unlike traditional security tools that examine source code or container manifests, Dynatrace sees which open-source libraries are actually used in runtime, how they are used, and the context in which they are used — whether the process is exposed to attack, has connections to “crown-jewel” databases or faces other factors. This rich information is fed into our AI engine, Davis, which then computes a Davis Security Score for every vulnerability. This enables Dynatrace to generate uniquely accurate risk scores (much more accurate than just the Common Vulnerability Scoring System) and helps IT teams understand which vulnerabilities are important and which risks could truly impact the business.