This is the process of identification, quantification and prioritization of vulnerabilities in a computer system.

The activity involves the following phases:

  1. Identification of resources (hardware/software) in the system;
  2. Identification of vulnerabilities and potential risks for the resources;
  3. Classification of vulnerabilities identified in terms of impacts on security and likelihood of violation;
  4. Identification of available countermeasures;

Vulnerability assessment can be performed by the personnel within the organisation (internal staff) or by professionals outside the organisation (third party).

During vulnerability assessments, standard methodologies are used, such as:

  • ISECOM: network systems, SCADA protocols, biometrics, strong authentication, wireless systems
  • OWASP:Web-based applications

The approach used is Ethical Hacking.