IT vulnerability assessment or vulnerability management is a branch of IT security.
It is concerned with identifying, assessing, and addressing vulnerabilities in computer systems and software.
This post reviews some aspects regarding IT vulnerabilities.
You can read a more general introduction to cybersecurity on this post.
Vulnerability Identification
Attack surface is the number of all possible points, or attack vectors, where an unauthorized user can access a system and extract data. The smaller the attack surface, the easier it is to protect.
Some products like Microsoft Defender for Endpoint has Attack Surface Reduction (ASR) functionalities.
A vulnerability scanner tool helps a organization to identify scanners.
You can read an introduction to IT vulnerabilities, including a list of IT vulnerability databases, on this post.
Vulnerability Standards
There are some standards to manage and measure vulnerabilities.
Security Content Automation Protocol (SCAP)
Security Content Automation Protocol (SCAP) is issued by the National Institute of Standards and Technology (NIST).
Components:
- CVE
- CVSS
- Common Configuration Enumeration (CCE)
- Common Platform Enumeration (CPE)
- Extensible3 Configuration Checklist Description Format (XCCDF)
- Open Vulnerability and Assessment Language (OVAL)
Script Check Engine (SCE) is an extension to the SCAP protocol.
Vulnerability Exploitability Exchange (VEX)
A Vulnerability Exploitability Exchange (VEX) document contains machine-readable statements about the status of software vulnerabilities with respect to a software product.
OpenVEX is an open implementation of VEX by the OpenSFF project of the Linux Foundation. You can read an article about OpenVEX on this external link.
Vulnerability Scoring Systems
You can find a list of IT vulnerability scoring systems on this post.
The most popular one is CVSS.
Vulnerability Databases
MITRE Common Weakness Enumeration (CWE) is a community-developed list of software and hardware weakness types.
You can find a full list of vulnerabilty databases on this post.
Zero-Day Vulnerability Teams
This section lists some relevant teams within companies that are focused on finding and notifying to system owners zero-day vulnerabilites.
Zero-Day Vulnerability Teams featured on this post:
- Google Project Zero
- Trend Micro’s Zero Day Initiative
Google Project Zero
Project Zero is a team within by American company Google.
Trend Micro’s Zero Day Initiative
Zero Day Initiative is an initiative by American company Trend Micro.
Vulnerability Assessment Tools
You can find vulnerability assessment tools for PC on this post.
You can find vulnerability assessment tools for mobile on this post.
You can find WiFi vulnerability scanning tools on this post.
AI Tools for Vulnerability Assessment
BurpGPT is a tool that uses ChatGPT for vulnerability assessment. You can find it on this external link.
Media related to IT & OT Security
You can find a list of media related to IT security on this post.
You can find a list of media related to OT security on this post.