Deficiency Assessment

Vulnerability assessment is a planned analysis process designed to identify, classify, and prioritize existing security vulnerabilities in an information system. Since software is developed by humans, it is impossible for it to be flawless; some errors are harmless while others can be exploited to compromise system integrity and availability. For example, common vulnerabilities such as SQL Injection or Cross-Site Scripting (XSS) can provide attackers with unauthorized access.

Vulnerability assessment enables the detection of such vulnerabilities before they are exploited by attackers. This allows organizations to proactively address their weaknesses before an attack occurs.

Purpose of Vulnerability Assessment

The primary purpose of vulnerability assessment is to proactively discover existing or potential security vulnerabilities within an organization’s IT infrastructure, classify them in detail, determine their risk levels, and provide a concrete roadmap for appropriate remediation steps. The key components of this objective are as follows:

• Make the Current State Visible: An organization does not always have full visibility into the security status of all its assets (servers, clients, mobile devices, IoT, cloud services, databases, etc.). However, cyber attackers continuously scan the internet and systems to find even the smallest vulnerability. Vulnerability assessment allows the organization to discover its own weak points before attackers do.
• Determine Exploit Potential of Threats: The mere existence of a vulnerability is not sufficient; it is also important to understand under what conditions it can be exploited and its potential impact. Therefore, assessment involves not only discovery but also impact analysis. For instance, a minor vulnerability in a critical database is more dangerous than a low-risk flaw on a publicly accessible server.
• Produce Concrete, Actionable Reports: As emphasized by industry standards, assessment does not end with scanning. The results must be prioritized by risk level and presented in clear reports that enable technical teams to take immediate action. These reports typically include CVSS scores, descriptions, recommended fixes, and steps for retesting.
• Support Compliance Requirements: Standards such as PCI DSS and NIST SP 800-53 mandate regular vulnerability scanning. This enables organizations to demonstrate compliance during audits, avoid regulatory penalties, and maintain trust with business partners.
• Protect Reputation and Customer Trust: Any data breach or system compromise causes not only financial damage but also harms brand reputation and customer confidence. Proactive scanning allows risky points to be quickly closed, protecting customer data and ensuring business continuity.
• Accelerate the Remediation Process: Vulnerability assessment transforms identified flaws into prioritized tasks integrated into the IT team’s workflow. Automated patch management, configuration updates, and validation cycles serve this purpose.
• Support Continuous Improvement: Digital environments are dynamic: new devices are added, software is updated, and configurations change. Assessment is not a one-time activity but a component of an ongoing risk management program.

Types of Vulnerability Assessment

Vulnerability assessment is applied in different forms depending on the type of component being tested and the scope of the risk profile being targeted.

Network-Based Vulnerability Assessment

Network-focused scans are conducted to discover vulnerabilities in an organization’s internal or external network infrastructure. These scans target elements such as:

• Open ports,
• Misconfigured routers,
• Unsecure protocols (e.g., outdated SSL/TLS versions),
• Unauthorized access points.

Internet-accessible servers are often the first components attackers scan. Network-based scans can cover both wired and wireless networks.

Server/Host-Based Vulnerability Assessment

In host-based scans, the focus is on individual devices and servers. Operating system versions, running services, listening ports, and software patches are examined. These scans detect:

• Critical configuration errors on servers,
• Default passwords,
• Missing patches.

They generally provide a deeper internal view than network-based scans.

Application-Based Vulnerability Assessment

This targets application components such as websites, mobile applications, or APIs. Here, risks such as:

• SQL Injection,
• Cross-Site Scripting (XSS),
• Authentication flaws,
• Improper session management

are investigated. Such scans can be performed dynamically (at runtime) or statically (through source code analysis). They are especially critical for applications handling sensitive customer data.

Database-Based Vulnerability Assessment

Databases store critical information such as customer data, payment details, and confidential documents. Therefore, this type of assessment identifies:

• Default or weak passwords,
• Overprivileged user accounts,
• Outdated database engines,
• Misconfigured access controls.

This type of assessment is critical for preventing data breaches.

Wireless Network Vulnerability Assessment

This uncovers security flaws in an organization’s wireless network infrastructure:

• Unauthorized (rogue) access points,
• Inadequate encryption protocols (e.g., weak encryption like WEP),
• Weak password policies.

As mobile devices, guest networks, and IoT sensors become more widespread, the importance of wireless scanning has increased.

Vulnerability Assessment Process

Vulnerability assessment consists of cyclical and repeatable steps. The process generally includes the following phases:

Step 1: Planning and Scope Definition

First, it is determined which assets will be scanned. All servers, cloud infrastructure, IoT devices, or mobile devices may be included in the scope. When defining the scope, black box, grey box, or white box testing methods are typically chosen:

• Black box: The tester has knowledge only of the external appearance.
• White box: Full access to internal design details is available.
• Grey box: A combination of both approaches.

Step 2: Asset Discovery

Many organizations are unaware of all their assets. Mobile devices, IoT gadgets, or cloud-based virtual machines are mapped during this discovery phase. Modern scanners connect to cloud providers to enhance visibility.

Step 3: Vulnerability Scanning

Automated scanning tools are used on the identified assets to detect known vulnerabilities. The scanner analyzes open ports, running services, and software versions, matching them against the latest Common Vulnerabilities and Exposures (CVE) database.

Some scans send harmless proof-of-concept exploits to confirm the presence of specific vulnerabilities, such as command injection or default password usage.

Step 4: Analysis and Prioritization

Once scanning is complete, a report is generated. Vulnerabilities are typically rated using CVSS (Common Vulnerability Scoring System) scores: Critical, High, Medium, and Low. The location of the vulnerability within the system (e.g., internet-accessible server, sensitive database) affects prioritization.

Step 5: Reporting

Vulnerabilities are presented in a detailed report along with their risk level, potential impact, and recommended solutions. This report is usually passed from the security team to the development team.

Step 6: Remediation

Patches are applied, configurations are updated, or alternative controls are implemented. In some cases, temporary risk mitigation or acceptable risk documentation is used.

Step 7: Validation and Continuous Monitoring

Rescanning is performed after remediation. Since scanning provides only a snapshot, systems may develop new vulnerabilities due to new deployments, updates, or configuration changes. Therefore, assessment must be repeated at regular intervals and continuous monitoring must be maintained.

Challenges Encountered

Vulnerability assessment is not flawless. Key challenges include:

• False Positives: Scanners may sometimes report non-threatening issues as vulnerabilities.
• Prioritization Issues: Accumulation of low-risk vulnerabilities can overshadow critical issues.
• Blind Spots: Unmanaged devices (shadow IT) or third-party applications may fall outside the assessment scope.
• Operational Disconnection: Lack of coordination between security and IT operations teams can delay the remediation process.