"At a high level, security assessments can be considered as 'inside out' and identify potential vulnerabilities. Pentests on the other hand, are 'outside in', and don't just identify vulnerabilities - they go further by verifying that they are real and can be exploited. Both are vital components of a comprehensive security program and complement each other in identifying vulnerabilities and strengthening your company defences." Alice Conibere, Junior Security Researcher
What is a security assessment?
A security assessment typically focuses upon a specific area of risk that an organisation has identified or can provide a holistic overview of an organisation and their security systems currently in place. It is a broad approach that can examine all aspects of an organisation, including security, policies, procedures, and technical controls. An internal team or third party will identify potential vulnerabilities through a series of security exercises and review implemented procedures. Due to a security assessment requiring someone manually investigating an organisation, these potential vulnerabilities are not exploited.
Some organisations might choose to include a vulnerability assessment as part of their security assessment, using automated tools, such as Nessus, to scan their network for potential vulnerabilities that an attacker could exploit. These tools are not a complete security solution, as they only provide a snapshot of the network at that given point-in-time. It is up to the organisation’s relevant parties to patch vulnerabilities identified by automated vulnerability scanners; however, Nessus does provide advice that suggests the best way for an organisation to mitigate against any potentially identified vulnerabilities.
When undertaking a security assessment, the first steps are for the scope of the assessment to be defined by the organisation. This includes identifying any relevant networks, systems, or applications that will be assessed. Relevant information about the identified assets is then gathered, with the potential of interviews being conducted with relevant stakeholders so further information can be identified. Documentation, policies, and system configurations are also reviewed so any potential vulnerabilities can be identified. Mitigations are provided to the organisation by the relevant party conducting the security assessment, so the organisation can implement these recommendations.