I recently came across a post on LinkedIn, asking about advice related to vulnerability management (VM) and specifically as it relates what elements should be included in the process. I found many participants giving advice which was more assessment related, as opposed to VM related. Seeing this confusion out there, I felt it important to share my views on the differences. So what is the difference between vulnerability assessments and VM?
A vulnerability assessment is a single point in time activity and which discovers security weaknesses within software and/or hardware elements being assessed. Usually but not always, vulnerability assessments are performed in an automated fashion. There are various kinds of assessments ranging from network assessments, web application assessments, and even software code assessments. But again, all of these different kinds of assessments are conducted at a given point in time which may span days or even weeks, but the essential notion is that a given assessment is an engagement that occurs once. An organization who receives the information gleaned from a vulnerability assessment will likely want to take action based on the findings. For example, the organization may want to correlate the identified vulnerabilities with knowledge of exploit availability, security architecture and real world threats. An organization will also likely attempt to remediate some of the identified vulnerabilities and will assign those deemed important, to their IT staff. Although performing a one-time assessment followed by taking the aforementioned actions are very important activities and are elements of VM, if an organization stops at a one-time assessment and does not perform recurring vulnerability assessments, there really is no VM taking place. VM isn’t really VM unless you repeat the assessments and continue repeating them over and over.
VM is a “process” which includes ongoing vulnerability assessments, conducted at regular time intervals, and in some cases, the time interval is “continuous” in that as soon as an assessment is completed, it is immediately repeated. The concept here is that with VM, assessments are repeated and the goal is to determine what has changed since the last assessment. We do this in order to measure progress (or lack of progress), and to gauge risk on an ongoing basis so as to maintain risk at a level the organization has agreed to per their security policy.
Stay tuned for my next blog post in which I’ll cover integrating Network Vulnerability Management systems with other security technologies, and how the accuracy and value of such integrated security technologies directly depends upon the accuracy of assessment to assessment endpoint correlation.