Vulnerability Assessment Vendors: How to Find the Right One

Vulnerability Assessment Vendors: How to Find the Right One

Learn about the key factors to pay attention to when selecting a provider of network vulnerability assessment services.

  • Mar 25, 2019

Regular vulnerability assessment contributes positively to the improvement of the security state of your company’s network. In this article, we’ll show you how to find a professional provider with the competence necessary to perform network vulnerability assessment properly.

Where vulnerability assessment can fall flat

When selecting an appropriate information security services provider, it’s essential to know the key factors to pay attention to. Before choosing the company to conduct vulnerability assessment of your network, it’s important to get the full picture of your potential vendor’s capabilities and competencies. Sometimes, due to the lack of experience, qualification, etc., vendors may fail to provide their customers with high-quality services. We mention below the most common mistakes vendors make and describe what to expect from a good vendor.

  1. Vendors miss the initial stage of clarifying significant details. Vulnerability assessment service providers who are not experienced enough may fail to ask the right questions to get the information on the specifics of your network configurations, for example, where the sensitive data is stored, how your network is protected, what rights the users need to access the servers, etc. The primary task of a qualified vendor is to help you take the right decision regarding how exactly you want your network be assessed (for example, do you want the security engineers to perform scanning from the ‘inside’ of a network or the ‘outside’?). Experienced vendors can provide you with a security assessment questionnaire at the stage of negotiations. Such questionnaires simplify estimating the scope of work for a vendor, as well as clarify whether the customer needs to be compliant with any security standards and regulations (PCI DSS, HIPAA, etc.), what security measures are already in place (firewall protection, IPS/IDS), etc. 
  2. Vendors fail to provide a comprehensive description of the whole network vulnerability assessment process. They must be ready to explain their choice of the approach for performing vulnerability assessment. The explanation doesn’t imply simply giving the list of the scanning tools being used – such information will not be valuable for you as a customer since it doesn’t give you any idea about what exactly will be assessed with those tools. A prospective vendor should be able to clearly describe the steps they are going to execute, and deliverables you get at the end of the process. 
  3. Vendors may try to cut down their costs by attracting entry-level security testing team. Such security specialists can set up a scanning tool but do not have the necessary qualification to draw up a report containing reliable information. Therefore, when assessing a prospective vendor, do not take only their portfolio (the publicly available information on the completed projects) into consideration. What you should pay attention to is the experience of the vendor’s security engineers. Focus on their certifications, published scientific papers, participation in awards programs, etc. Assess the professionals, not the company’s brand. 
  4. Vendors fail to provide their customers with recommendations aimed to remediate the revealed security weaknesses. In spite of the fact that network vulnerability assessment implies only “opening the door” to see the security weaknesses hidden behind it, the ability to point out the network’s flaws is not enough. To assess the vendor’s competence in this matter, you should have a look at the template of the final report they provide at the end of network vulnerability assessment. A well-structured report consists of two main elements: an executive summary (a brief and clear evaluation of the overall security level of your network) and a technical report (a thorough description of the activities performed by security engineers and their findings).

What types of vulnerabilities a vendor may find or miss

In the process of vulnerability assessment, two main types of vulnerabilities can be found: logical and technical. Technical vulnerabilities can be easily detected with automated scanning tools, so even the vendors with not a very high skill level can find them just by setting up a scanning tool correctly. However, only security testing professionals can detect logical vulnerabilities manually as they understand the logic according to which the customer’s network works.

Among the most well-known technical vulnerabilities are:

  • Susceptibility to SQL injection. This vulnerability means a possibility to place malicious code in SQL statements (through a web page input). A successful SQL injection exploit can provide attackers with an opportunity to access and modify, or even destroy the sensitive data in your databases. 
  • Susceptibility to cross site scripting (XSS) attacks. It’s a type of security attack when a hacker inserts, for example, a malicious script into content from other websites that your network trusts. This vulnerability may allow attackers to spread malware, phish for credentials, etc. 
  • Susceptibility to cross-site request forgery (CSRF). This vulnerability allows making a user’s web browser execute an unwanted action in the web application to which this user is logged in. Successfully performed CSRF attacks can result in unauthorized fund transfers and data leakage (stolen passwords or users’ sessions).

The most common logical vulnerability is broken access control, which is supposed to prevent unauthorized users to get to the content and functions of web apps in the network. The existence of this vulnerability may lead even to the takeover of your network by an attacker.

What a good network vulnerability assessment report should contain

The executive summary of a vulnerability assessment report should give clear information about the overall security state of your network and the detected weaknesses. This information should be easy to read and understand for managers or business stakeholders who have limited knowledge in the information security area. The technical part should contain the detailed information on the whole process and the activities performed by the security testing team, the number and types of vulnerabilities found, the list of corrective measures to remediate the revealed issues and the list of the scanning tools used. 

The way the findings are arranged plays an important role. Good vendors should not provide you with “draft” automated scanning tool findings. When scanning is over, the vendor should validate the scanning results before including the details on the revealed security weaknesses in the report. Otherwise, you may get the information on the vulnerabilities that do not actually exist and waste your time and financial resources trying to reproduce these vulnerabilities.

It can happen in the course of network vulnerability assessment that security engineers find the vulnerabilities that may be difficult to reproduce for your IT team but can be discovered and exploited by experienced hackers. In such a case, it will be convenient for you to get a step-by-step guide or a video recorded by a vendor that shows how to reproduce the vulnerability. The availability of such an option shows the vendor as competent in their field and concerned about the comfort of their customers.

How often to conduct vulnerability assessment

There are three main factors to take into account when selecting an appropriate frequency of network vulnerability assessment.

  • The frequency of audits. For example, if you need to be compliant to PCI DSS (the information security standard for companies that handle cardholders’ information), the frequency of carrying out vulnerability assessment depends directly on the frequency of audit checks your company has to go through. As a rule, an audit check is conducted quarterly. Thus, it makes sense to have network vulnerability assessment carried out each quarter prior to every audit. 
  • The frequency of major updates. Generally, the network infrastructure gets major updates several times a year. So, it’s a good practice to have vulnerability assessment performed after every such update, since the changes made to the network may lead to the appearance of new vulnerabilities.
  • Financial risks. They include financial losses in the result of business disruption, loss of privacy, sensitive data leakage, reputational damage, etc. Vulnerability assessment should be conducted at least twice a year if the company wants to prevent such events from occurring.

In summary

Choosing an appropriate vendor of vulnerability assessment services is not something that can be done in the blink of an eye. A good vendor must be able to give a thorough explanation of how they carry out network vulnerability assessment, be ready to help you decide how exactly you would like your network to be assessed, as well as have a highly skilled and qualified security testing team. Moreover, a professional vendor must be experienced enough to provide you with a comprehensive report containing not only the detailed information on the revealed technical and logical security vulnerabilities but also valuable recommendations to improve your network security state.

Taking into consideration these and other factors mentioned in the article, you will be able to find a vendor with the necessary expertise and get vulnerability assessment services that fully meet your requirements.

Featured

  • Research: Cybersecurity Success Hinges on Full Organizational Support

    Cybersecurity is the top technology priority for the vast majority of organizations, but moving from aspiration to reality requires a top-to-bottom commitment that many companies have yet to make, according to new research released today by CompTIA, the nonprofit association for the technology industry and workforce. Read Now

  • Live from GSX 2024: Day 3 Recap

    And GSX 2024 in Orlando, is officially in the books! I’d like to extend a hearty congratulations and a sincere thank-you to our partners in this year’s Live From program—NAPCO, Eagle Eye Networks, Hirsch, and LVT. Even though the show’s over, keep an eye on our GSX 2024 Live landing page for continued news and developments related to this year’s vast array of exhibitors and products. And if you’d like to learn more about our Live From program, please drop us a line—we’d love to work with you in Las Vegas at ISC West 2025. Read Now

    • Industry Events
    • GSX

  • Bringing New Goods to Market

    The 2024 version of GSX brought with it a race to outrun incoming hurricane Helene. With it’s eye on Orlando, it seems to have shifted and those security professionals still in Orlando now have a fighting chance to get out town. Read Now

    • Industry Events
    • GSX

  • Live from GSX 2024: Day 2 Recap

    Day 2 was another winner at GSX 2024 in Orlando. Aisles and booths were packed with attendees looking at some of the new and latest security technology. Remember to follow the GSX Live page from Security Today, as well as SecurToday on X and Security Today on LinkedIn to find out more about what’s happening on the show floor during tomorrow’s final day. Here’s what was happening with all four of our partners during the event on Tuesday. Read Now

    • Industry Events
    • GSX
Most   Popular

Featured Cybersecurity

Webinars

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3