Your browser has been detected as Internet Explorer 6 or lower. Please note that some website functionality may be incompatible. Therefore we strongly recommend upgrading your browser.

About Us

Testing Services

7Safe Services

Follow us on

  • Follow us on Twitter
CREST Approved Pen Testing services

RSS News & Events

Vulnerability Assessment & Security Testing

vulnerability assessment

A vulnerability assessment is often undertaken by an automated tool. It is of critical importance that a security testing engagement not only uses vulnerability assessment tools, but also that each result is verified to ensure that false positives are eliminated.

Vulnerability Assessment: Limitations

All too often 7Safe’s penetration testing team gain sight of security testing reports or vulnerability assessment exercises that are simply a copy and paste from a series of automated tools.  Sadly for the client, such results are often full of false positives or even false negatives i.e. where a vulnerability assessment has failed to detect a vulnerability.

A Better Type of Vulnerability Assessment

Our penetration testing team strongly believe in results verification in that each finding from a vulnerability assessment tool is checked for correctness. More importantly, in the report the pen test consultant can express a matter of opinion which greatly helps our client in the remediation activities of such testing.  Thus the vulnerability assessment becomes a more valuable document to the decision maker as the penetration testing consultant has taken the time to highlight overall areas of concerns and provides advice and consultancy.

PCI Penetration Testing

The PCI DSS (Payment Card Industry Data Security Standard) for some organisations mandates the need for both regular vulnerability assessment (by means of using an Approved Scanning Vendor aka PCI ASV scan) and penetration testing.  However, there is a very significant difference between the two approaches;

Vulnerability Assessment – this is essentially a battery of clever, usually automated tests or security testing tool exercises that look for (generally) known lists of vulnerabilities. However, whilst they do reduce risk by providing excellent coverage they are prone to false positives and do not replace the intuition and creativity of a penetration testing consultant; hence the need for a periodic “pen test / penetration test”

Penetration Testing – this term refers to the use of a penetration testing consultant who will undertake testing using experience, strong intuition, guidance from standards such as OWASP (Open Web Application Security Project – please see www.OWASP.org), a mixture of best-of-breed vulnerability assessment, penetration testing and other security testing tools, together with bespoke scripts and other clever in-house written applications.  A penetration testing team will also provide very customised guidance in the form of both a technical and business-driven report which makes for a living document against which remediation activities may be driven by the client and PCI QSA consultant during a PCI DSS audit.  Please see our PCI testing for further details.

VN:F [1.9.22_1171]
Rating: 2.7/5 (13 votes cast)
Vulnerability Assessment & Security Testing, 2.7 out of 5 based on 13 ratings
ISO 27001 & 9001
7Safe London
123 Buckingham Palace Road
London, SW1W 9SR
United Kingdom

Tel: +44 (0)870 600 1667
Fax: +44 (0)122 328 1114
7Safe Cambridge
Cambridge Technology Centre
Melbourn, Herts SG8 6DP
United Kingdom

Tel: +44 (0)870 600 1667
Fax: +44 (0)122 328 1114