Vulnerability Assessment Vendors: How to Find the Right One

Learn about the key factors to pay attention to when selecting a provider of network vulnerability assessment services.

• Mar 25, 2019

Regular vulnerability assessment contributes positively to the improvement of the security state of your company’s network. In this article, we’ll show you how to find a professional provider with the competence necessary to perform network vulnerability assessment properly.

Where vulnerability assessment can fall flat

When selecting an appropriate information security services provider, it’s essential to know the key factors to pay attention to. Before choosing the company to conduct vulnerability assessment of your network, it’s important to get the full picture of your potential vendor’s capabilities and competencies. Sometimes, due to the lack of experience, qualification, etc., vendors may fail to provide their customers with high-quality services. We mention below the most common mistakes vendors make and describe what to expect from a good vendor.

1. Vendors miss the initial stage of clarifying significant details. Vulnerability assessment service providers who are not experienced enough may fail to ask the right questions to get the information on the specifics of your network configurations, for example, where the sensitive data is stored, how your network is protected, what rights the users need to access the servers, etc. The primary task of a qualified vendor is to help you take the right decision regarding how exactly you want your network be assessed (for example, do you want the security engineers to perform scanning from the ‘inside’ of a network or the ‘outside’?). Experienced vendors can provide you with a security assessment questionnaire at the stage of negotiations. Such questionnaires simplify estimating the scope of work for a vendor, as well as clarify whether the customer needs to be compliant with any security standards and regulations (PCI DSS, HIPAA, etc.), what security measures are already in place (firewall protection, IPS/IDS), etc. 
2. Vendors fail to provide a comprehensive description of the whole network vulnerability assessment process. They must be ready to explain their choice of the approach for performing vulnerability assessment. The explanation doesn’t imply simply giving the list of the scanning tools being used – such information will not be valuable for you as a customer since it doesn’t give you any idea about what exactly will be assessed with those tools. A prospective vendor should be able to clearly describe the steps they are going to execute, and deliverables you get at the end of the process. 
3. Vendors may try to cut down their costs by attracting entry-level security testing team. Such security specialists can set up a scanning tool but do not have the necessary qualification to draw up a report containing reliable information. Therefore, when assessing a prospective vendor, do not take only their portfolio (the publicly available information on the completed projects) into consideration. What you should pay attention to is the experience of the vendor’s security engineers. Focus on their certifications, published scientific papers, participation in awards programs, etc. Assess the professionals, not the company’s brand. 
4. Vendors fail to provide their customers with recommendations aimed to remediate the revealed security weaknesses. In spite of the fact that network vulnerability assessment implies only “opening the door” to see the security weaknesses hidden behind it, the ability to point out the network’s flaws is not enough. To assess the vendor’s competence in this matter, you should have a look at the template of the final report they provide at the end of network vulnerability assessment. A well-structured report consists of two main elements: an executive summary (a brief and clear evaluation of the overall security level of your network) and a technical report (a thorough description of the activities performed by security engineers and their findings).

What types of vulnerabilities a vendor may find or miss

In the process of vulnerability assessment, two main types of vulnerabilities can be found: logical and technical. Technical vulnerabilities can be easily detected with automated scanning tools, so even the vendors with not a very high skill level can find them just by setting up a scanning tool correctly. However, only security testing professionals can detect logical vulnerabilities manually as they understand the logic according to which the customer’s network works.

Among the most well-known technical vulnerabilities are:

• Susceptibility to SQL injection. This vulnerability means a possibility to place malicious code in SQL statements (through a web page input). A successful SQL injection exploit can provide attackers with an opportunity to access and modify, or even destroy the sensitive data in your databases. 
• Susceptibility to cross site scripting (XSS) attacks. It’s a type of security attack when a hacker inserts, for example, a malicious script into content from other websites that your network trusts. This vulnerability may allow attackers to spread malware, phish for credentials, etc. 
• Susceptibility to cross-site request forgery (CSRF). This vulnerability allows making a user’s web browser execute an unwanted action in the web application to which this user is logged in. Successfully performed CSRF attacks can result in unauthorized fund transfers and data leakage (stolen passwords or users’ sessions).

The most common logical vulnerability is broken access control, which is supposed to prevent unauthorized users to get to the content and functions of web apps in the network. The existence of this vulnerability may lead even to the takeover of your network by an attacker.

What a good network vulnerability assessment report should contain

The executive summary of a vulnerability assessment report should give clear information about the overall security state of your network and the detected weaknesses. This information should be easy to read and understand for managers or business stakeholders who have limited knowledge in the information security area. The technical part should contain the detailed information on the whole process and the activities performed by the security testing team, the number and types of vulnerabilities found, the list of corrective measures to remediate the revealed issues and the list of the scanning tools used. 

The way the findings are arranged plays an important role. Good vendors should not provide you with “draft” automated scanning tool findings. When scanning is over, the vendor should validate the scanning results before including the details on the revealed security weaknesses in the report. Otherwise, you may get the information on the vulnerabilities that do not actually exist and waste your time and financial resources trying to reproduce these vulnerabilities.

It can happen in the course of network vulnerability assessment that security engineers find the vulnerabilities that may be difficult to reproduce for your IT team but can be discovered and exploited by experienced hackers. In such a case, it will be convenient for you to get a step-by-step guide or a video recorded by a vendor that shows how to reproduce the vulnerability. The availability of such an option shows the vendor as competent in their field and concerned about the comfort of their customers.

How often to conduct vulnerability assessment

There are three main factors to take into account when selecting an appropriate frequency of network vulnerability assessment.

• The frequency of audits. For example, if you need to be compliant to PCI DSS (the information security standard for companies that handle cardholders’ information), the frequency of carrying out vulnerability assessment depends directly on the frequency of audit checks your company has to go through. As a rule, an audit check is conducted quarterly. Thus, it makes sense to have network vulnerability assessment carried out each quarter prior to every audit. 
• The frequency of major updates. Generally, the network infrastructure gets major updates several times a year. So, it’s a good practice to have vulnerability assessment performed after every such update, since the changes made to the network may lead to the appearance of new vulnerabilities.
• Financial risks. They include financial losses in the result of business disruption, loss of privacy, sensitive data leakage, reputational damage, etc. Vulnerability assessment should be conducted at least twice a year if the company wants to prevent such events from occurring.

In summary

Choosing an appropriate vendor of vulnerability assessment services is not something that can be done in the blink of an eye. A good vendor must be able to give a thorough explanation of how they carry out network vulnerability assessment, be ready to help you decide how exactly you would like your network to be assessed, as well as have a highly skilled and qualified security testing team. Moreover, a professional vendor must be experienced enough to provide you with a comprehensive report containing not only the detailed information on the revealed technical and logical security vulnerabilities but also valuable recommendations to improve your network security state.

Taking into consideration these and other factors mentioned in the article, you will be able to find a vendor with the necessary expertise and get vulnerability assessment services that fully meet your requirements.