Organizations must perform vulnerability assessments as part of their compliance program. There are different types of vulnerability assessments, but at least one type of vulnerability assessment should be periodically executed by the organization: a penetration test and/or a vulnerability scan(s).

A penetration test (pen test) is an Information Security process where an ethical hacker attempts to gain access to the organization's application, network, and general solution components to test its security setup and security response. A pen test aims to identify ways to exploit vulnerabilities to defeat the security features of system components. Pen tests should occur at least annually and upon significant changes in the company’s solution and must be conducted by a third party.

A vulnerability scan compares an organization's current configuration against a continuously updated list of vulnerabilities. The purpose of a vulnerability scan is to identify, rank, and report vulnerabilities that, if they were to be exploited, could compromise a system or the general company information security program. Vulnerability scans should take place at least quarterly and upon significant changes in the company's solution and can be conducted internally or by a third party.

Examples of vulnerability scanning include:

Utilizing built-in cloud service providers’ vulnerability scanning services is wise, such as AWS’ Amazon Inspector or Azure's Security Center recommendations. Additionally, consider scanning your software code using the OWASP 10 (or other frameworks) for known vulnerabilities as part of your software change management process. GitHub and other open-source tools may include dependency scanning as well.

Strike Graph offers both penetration testing and vulnerability scanning services. Reach out to your CSM if interested in learning more!