Vulnerability Assessment - Systematische Schwachstellenbewertung
A vulnerability assessment is the systematic identification and prioritization of security vulnerabilities in IT systems using scanners, configuration checks, and manual reviews—without actively exploiting them (unlike a penetration test). The result is a prioritized risk report that includes CVSS scores and remediation recommendations.
Vulnerability Assessment (VA) and Penetration Testing (PT) are often confused, but they have different objectives. A VA asks: "What vulnerabilities exist?" A PT asks: "How far could a real attacker get using these vulnerabilities?"
VA vs. Penetration Testing
| Vulnerability Assessment | Penetration Testing | |
|---|---|---|
| Objective | Complete inventory of all known vulnerabilities | Exploitation of vulnerabilities, realistic attack path |
| Method | Automated scanner + manual review | Manual analysis, creative attack combinations |
| Depth | Broad, not deep | Deep, not necessarily broad |
| Exploitation | NONE (only check for presence) | YES (with authorization!) |
| Frequency | Weekly to monthly | 1-2x per year or after significant changes |
| Result | List with CVSS scores, patch recommendations | Business impact, realistic risk assessment, evidence |
| Advantage | Fast, inexpensive, automatable | Finds logic errors, combination attacks, business risks |
VA serves as the continuous foundation; PT validates and delves deeper on a selective basis. Both complement each other: VA without PT overlooks attack paths; PT without VA systematically overlooks known CVEs.
VA Process
Phase 1: Scoping - What is being scanned? (IP ranges, domains, cloud accounts), When? (Operational hours, maintenance windows), Who is notified? (NOC, IT team), Define exclusions, Authenticated vs. unauthenticated?
Phase 2: Asset Discovery - What systems are in scope? Nmap for network discovery, Shodan for external surface area.
Phase 3: Vulnerability Scanning - Automated scanner (Nessus, OpenVAS, Qualys, Rapid7), credentials for authenticated scanning (finds 3-5x more!), Cloud scanning (AWS Inspector, Azure Defender, GCP SCC). Nessus "Advanced Scan" with credentials detects: unpatched software, insecure configuration, default passwords, weak encryption.
Phase 4: Manual Validation - Scanners report false positives (up to 30%), manual review of critical findings, context assessment (accessible internally or externally?).
Phase 5: Risk Prioritization
| CVSS Score | Rating |
|---|---|
| 9.0-10.0 | Critical |
| 7.0-8.9 | High |
| 4.0-6.9 | Medium |
| 1.0-3.9 | Low |
| 0.0 | Informational |
CVSS alone is not enough: Is the system accessible externally (increased risk)? Is there a CISA KEV entry (actively exploited – patch immediately!)? Asset criticality: Production DB vs. Dev server? EPSS (Exploit Prediction Scoring System) complements CVSS: Probability that the CVE will be exploited within the next 30 days (epss.cyentia.com).
Phase 6: Reporting and Remediation - Executive Summary (overall risk, top 3 findings, business impact), technical report (all findings, CVSS, recommendations), patch SLAs (Critical 24h, High 7 days, Medium 30 days), re-scan after remediation.
Scanner Comparison:
| Tool | Features |
|---|---|
| Nessus Professional (Tenable) | Market leader, >70,000 plugins, ~$4,000–5,000/year; Cloud version: Tenable.io |
| Qualys VMDR | Cloud-native, agent-based (continuous monitoring even when VPN is off), IT asset management integration |
| Rapid7 InsightVM | Live dashboard, good remediation workflows, integrates Nexpose + InsightVM |
| OpenVAS / Greenbone | Free (Community), functional for SMBs; Greenbone Enterprise for support + updates |
