Select Page

Vulnerability Assessments

Vulnerability Assessments

Vulnerability assessments can be a very effective way of gathering information on an organizations internal security posture. The purpose is to accumulate data on any weaknesses revealed that should be proactively mitigated to prevent exploitation. There are a number of tools that can be used to carry out vulnerability assessments. Typically, a software-based tools are used to scan a selected part of an organizations infrastructure. This can range from specific areas that are exposed to the public, to entire sections of the organizations network (Cima, 2001) lists four of the most common types of vulnerability scanner. These include network-based scanning tools, host-based scanning tools, database scanning tools, and wardialers.

Before carrying out any type of vulnerability scan, the first step an organization should carry out is to gather information on their people, processes, and technology. Vulnerability tools will help assessing technology, however other methods should be established to effectively gather information on business process and personnel. After the information is gathered, prioritization should begin in determining which assets are most critical that need to be addressed first, followed by implementation of mitigation strategies. The vulnerability assessment process should be ongoing within an organization. Implementation of a framework such as Homeland Security’s Continuous Diagnostics and Mitigation (CDM), should also be central to vulnerability assessment. (“Continuous Diagnostics and Mitigation (CDM),” 2018). An effective CDM approach assists in prioritization and ongoing defense and protection.

Cima, S. (2001). Vulnerability Assessment (p. 14). SANS Institute InfoSec Reading Room. Retrieved from
Continuous Diagnostics and Mitigation (CDM). (2018). Retrieved February 10, 2018, from

Image Credits: Photo by Lewis Ngugi on Unsplash.

Related Articles

About The Author

Ian Carnaghan

I am a software developer and online educator who likes to keep up with all the latest in technology. I also manage cloud infrastructure, continuous monitoring, DevOps processes, security, and continuous integration and deployment. In my spare time I teach undergraduate classes in web development.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.