A Vulnerability assessment is an automated process designed to detect the presence of known software vulnerabilities, common system and network misconfigurations and in specific instances application weaknesses typically found in web applications. Similarly to penetration tests, assessments of this type can be conducted from an either an external perspective (such as against corporate websites) or against your internal network and systems. Although not required (recommended for web app tests), when a privileged user account is supplied the vulnerability assessment can yield even greater results, as the scanner can “see” and assess more information about the target systems.
Similarly to a penetration test, vulnerability assessments can be conducted from either of two perspectives. An external vulnerability assessment is conducted against your public infrastructure (public IP addresses) to assess for weaknesses that could be exploited from outside. An internal vulnerability assessment is conducted against your internal systems (LAN, WAN & workgroup) to assess the security of your systems from internal threats, such as disgruntled staff, fraud perpetrators and social engineers. Due to the nature of the tests, eli5 will not perform any vulnerability assessments without prior receiving written approval from the client.
It is generally regarded as a good practice to conduct both external and internal vulnerability assessments against your systems at least every 3 months (as required by PCIDSS v3.1) or after a significant change is made to the environment. eli5’s internal vulnerability scan reports can be used as part of your PCI v3.1 evidence.