Everything you need to know about Vulnerability Assessment

There is lots of information regarding vulnerability assessment online. Here we would like to give you complete guidance on the most frequently asked questions regarding vulnerability assessment.


What is Vulnerability Assessment?

Vulnerability assessment is sometimes called vulnerability scanning or vulnerability test. There are lots of different definitions of vulnerability assessment. Among all of them, let us take the one from NCSC as " Vulnerability Scanning is a broad term, used to describe the automated process of detecting defects in an organisation’s security program. This covers areas such as the patch management process, hardening procedures and the Software Development Lifecycle (SDLC). Services or products that offer vulnerability scanning are also commonly known as Vulnerability Assessment Systems (VASs). "


There are couple of highlights with this definition:

Automated process - it is not and it should not be a manual process;

Detecting defects - vulnerability assessment is the first step of your overall cyber security strategy. Before you are able to improve your system or fix any bugs, you need to understand the current status first;

Organisation's security program - vulnerability assessment is not for a single point or single system. It should be able to provide you the whole picture from organization level.

vul - 1.png

Why does vulnerability assessment matter to you?


According to the Cyber Security Breaches Survey 2021 published by the UK government in Mar 2021, "Four in ten businesses (39%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (65%), large businesses (64%) and high-income charities (51%)".

More importantly, not only are most companies exposed to cyber attack or cyber security breach, but also they are suffering from business loss as a result of data lost/stolen or business interruption. According to the same report: " For medium and large firms combined, this average cost is higher, at £13,400. " To protect yourself from the loss, vulnerability assessment is the first action you should take to evaluate your cyber environment and take all the necessary approaches.

vul - 2.png

What is the difference between Vulnerability Assessment and Penetration Test?


Vulnerability Assessment and Penetration Test are two different concepts that often get people confused. In brief, vulnerability assessment is often an automated process that runs periodically (monthly normally) while penetration tests normally involve experienced cyber security experts with specific purpose and a comprehensive process. Hence, vulnerability assessment should be carried out more frequently than penetration tests.

vul - 3.PNG

Why is web application vulnerability the most common risk?


Compared with hackers in the past decades, modern hackers tend to spend more time on web application bugs. On one hand, it is due to the fact that servers, networks or browsers have more security protection. On the other hand, with the advanced and complex user interactive features with web applications, there are potentially more bugs to be explored by the hackers.

Cross-Site Scripting (XSS) is one of the most commonly used attacks. With an XSS attack, the hacker can write his own code, and then take advantage of poor filtration mechanisms in an app that will allow his script to execute on the targeted victim's machine.

vul - 4.PNG

How often to take vulnerability assessment?


It depends on your business type. If your peer companies have suffered from cyber attack frequently, you should take the vulnerability test at least every week or there is any system update or external integration.  

How to take vulnerability assessment effectively?


If you are looking for vulnerability assessment tools, have a look at the different tools recommended by OWASP (The Open Web Application Security Project): Their list does not cover all while it is a good place to start with the basics.


Alternatively you can start the journey with Cogen.ai which offers fully automated vulnerability scanning and continuous risk monitoring for FREE. Besides the basic vulnerability scanning functionality, Cogen.ai has a wide range of expertise in cyber security with Fintech, digital healthcare and e-Commerce sectors. If your business is running in these areas, Cogen.ai is able to provide you with further industry insights in terms of your cybersecurity best practices.

Check your cyber risk for free