Vulnerability Identification

A vulnerability is a weakness in a system or its protections that could be exercised, creating a breach in the security protection of the system. The goal of this step is to come up with a list of vulnerabilities that could be exercised by potential threat sources.

Vulnerabilities can be identified from lists and advisories on common vulnerabilties and also by testing the system.

Once a list of vulnerabilities that might be exercised against the system have been identified, they should be matched up against the threat sources that were previously identified, so that overall risk can be determined.



Vulnerability lists

System testing

  • Vulnerability scanning (see control RA-5)
  • Penetration testing
  • Security controls assessment (see control CA-2)
  • Previous risk assessment documentation

Security Requirements Checklist
The security requirements checklist contains the basics to evaluate and identify the vulnerabilities of information system assets, procedures, processes and information. The purpose is to determine whether security requirements are being met by either existing or planned controls.

800-42 “Guideline on Network Security Testing”
800-40 “Creating a Patch and Vulnerability Management Program”
800-115 “Technical Guide to Information Security Testing”

Leave a Reply

You must be logged in to post a comment.