Over the past few months I have heard a large amount of people talking about Risk Assessment, Vulnerability Assessment, and Penetration Testing, however each one of them presents each of these topics differently.
What is a Risk Assessment versus a Vulnernability Assessment versus a Penetration Test?
Instead of posting what I think they mean, please add a comment as to what you think they are. In a couple of days I will summarize what readers thought and add in my thoughts.
May 21, 2007 at 4:01 pm
RA – List/Define the risks along with steps taken, if any, to mitigate the risks. For example, giving your developers access to live code isn’t a vulnerability but it is a risk.
VA – Assessment of known system vulnerabilities. For example, an un-patched windows server is likely to have many vulnerabilities that could be exploited.
PT – Simply put, a “hacker” attemps to get into your systems from outside your organization, as a test.