Vulnerability Assessment

Ask A-LIGN: What is the difference between a Penetration Test and a Vulnerability Assessment?

A square is a rectangle but a rectangle is not a square. That saying always confused me in school and reminds me of the confusion in the market place between vulnerability assessments and penetration tests. A penetration test is a vulnerability assessment but a vulnerability assessment is not a penetration test. As I speak to organizations that want to test the security of their technology infrastructure I ask “Do you want a vulnerability assessment or a penetration test?” I receive responses ranging from “aren’t they the same” to “I don’t know you tell me”. There are key differences between the two depending upon the purpose of the project.  I would like to outline the purpose of the two projects and when you would select each.

Read More

Ask A-LIGN: What is the difference between a Penetration Test and a Vulnerability Assessment?

By: Gene Geiger, Partner of A-LIGN Security and Compliance Services  A square is a rectangle but a rectangle is not a square. That saying always confused me in school and reminds me of the confusion in the market place between vulnerability assessments and penetration tests. A penetration test is a vulnerability assessment but a vulnerability assessment is not a penetration test. As I speak to organizations that want to test the security of their technology infrastructure I ask “Do you want a vulnerability assessment or a penetration test?” I receive responses ranging from “aren’t they the same” to “I don’t know you tell me”. There are key differences between the two depending upon the purpose of the project. I would like to outline the purpose of the two projects and when you would select each.

Read More

Common Database Vulnerabilities and Misconfigurations

I recently attended the MIS Training Institute’s Infosec Conference held in Orlando, Florida and sat in on a presentation by Josh Shaul, Chief Technology Officer with Application Security Inc.  The topic of the presentation was the top 10 most common database vulnerabilities and misconfigurations. I felt that the information was not only relevant to providing assurance of database systems security when auditing, but also provided a glimpse of some of the most common and sophisticated attack methods used to invade enterprise databases, and I wanted to pass along a few of the more important points.

Read More