Due to increasing size, complexity and diversity of systems, maintaining an effective information security system is a difficult task. New vulnerabilities can be introduced by mis-configuration, human error or hardware or software flaws in new installations. A vulnerability assessment should be performed in an organization's information system so the organization's risk can be properly assessed.
Vulnerability scanning consists of a series of tests with various vulnerability scanning tools. Results are then manually sorted, examined and filtered so that a proper assessment of the tested system can be made.
As identified vulnerabilities cannot be confirmed, vulnerability scan results are usually less reliable than those obtained by penetration testing. For this reason Griffinix recommends that vulnerability scanning is conducted against less significant business systems and client workstations, while penetration testing is more suitable for critical servers/applications.
Vulnerability scanning provides an organization with a list of all identified vulnerabilities with a corresponding description and risk level. This allows the organization to assess the overall risk of its information system.
Griffinix recommends that vulnerability scans are conducted regularly so that new vulnerabilities can be timely identified. For business critical servers and applications, penetration testing is more appropriate.