Security assessment involves several stages to identify risks and analyze security. These stages include discovery to identify systems, vulnerability scanning to find weaknesses, assessment to analyze risks in context, security assessment to manually verify exposures, penetration testing to exploit vulnerabilities, security auditing to ensure compliance, and security review to check adherence to standards. The overall goal is a thorough analysis of threats and risks to assess security and identify improvements.
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Security assessment
1. What is Security assessment? What are the different stages involved in it?
Security assessment has different stages viz. discovery stage, vulnerability scan, assessment,
security assessment, penetration stage, security audit and security review stage.
Security assessment is a thorough study done mainly to identify IT related threats and risks.
Full support of the organization being assessed is required for an explicit study. The
organization should allow the assessor access to its network, facilities etc. An assessment is
done to assess the working of the present security system and to make improvements if any
amongst all the security tests a security assessment test is the most useful test.
Security assessment is also known as security audit or security review. It should make sure
that all necessary security tools required to protect the system have been incorporated into
the system. Security assessment system goes through a number of stages to identify the risks
and to analyze the situation.
1. Discovery stage: the services and systems under operation are identified. This
process does not identify the weaknesses of the system but may at times point out
the obsolete versions of software/firmware which in turn may be helpful to identify
the potential vulnerabilities.
2. Vulnerability scan stage – it is meant to identify the security issues. With the help of
automated tools it matches conditions with known vulnerabilities. Manual scanning
or interpretation is not required as the tool automatically sets the reported risk level.
3. Vulnerability assessment stage - in order to place the findings into the context of the
environment under test and to scan the security vulnerabilities it uses discovery and
vulnerabilities.
4. Security assessment stage - the basis of this stage is vulnerability assessment. In order
to confirm exposure it adds manual verification but does not include the use of
vulnerabilities to work further. Security assessment can be done by authorizing
access in order check system settings. It also scans logos, system responses, error
messages, codes, etc.
5. Penetration test - imitates an attack by a harmful person-in order to gain further
access it exploits the present vulnerabilities. This test may help us understand the
potential of the person trying to hack the confidential information or data. in
comparison to the security assessment approach which looks at the broader coverage
this stage goes to the origin of attack
2. 6. Security Audit – is responsible for handling the compliance issues. Due to its narrow
scope it is flexible enough to use any of the above mentioned approaches i.e.
vulnerability assessment, security assessment, etc.
7. Security Review – making sure that the product is adhering to the internal security
standards. This stage follows a gap analysis and also makes use of build/code reviews
or design data and diagrams. This stage has no relation with the earlier approaches.
. For more information on security assessment you can visit
URL: http://www.ivizsecurity.com/application-penetration.html