Security Assessment Types

Introduction :

In science & technology, a tool or software is developed for a defined purpose to perform predefined functionalities and to fulfil quality goals. During development, apart from functionality, it is most important incorporate all different security measures. The Assessment must be needed to ensure security related factors, otherwise breaching of information or data and other different security breaches may take place.

What is Security Assessment?

The strategy that measures security audit, network assessment, security review and identify all possible vulnerabilities, to safeguard application from potential risks and threats. The security assessment takes place with various types of assessments. For different functionality, it is mandatory to use distinct security assessment techniques.

There are various different types of security assessment which helps to identify functional and technical vulnerabilities:

  1. Vulnerability Assessment.
  2. Penetration Test.
  3. Audit.
  4. White/Grey/Black-Box Assessment.
  5. Risk Assessment.
  6. Threat Assessment.
  7. Threat Modelling.
  8. Bug Bounty.
  • Vulnerability Assessment:This type of security assessment basically examines the physical attributes of the application. It defines and identifies the security loop holes in a connection within a connected network and in communication. Vulnerability analysis measures and evaluates all possible flaws in an efficient way. This assessment is required when there is prioritized list of flaws and there is a need of rectification and authentication.
  • Penetration Test:This is also said to be a technical assessment and commonly known as Pen test. It validates all possible vulnerabilities in operating systems, services and applications, in improper configuration or in risky end-user behaviour. The penetration tests are performed using manual and automated techniques to potentially protect the system. Basically, it safeguards the complete software configuration.
  • Audit :It is a technical and documented-based security assessment type, which focuses on the comparison of exiting configuration and desired requirements. Audit security assessment deals with the loopholes in security policies, checks hardware performance, access control, backup & disaster recovery plan.
  • White/Grey/Black-Box Assessment: White Box assessment is used to determine the internal information and activities, and is performed by testers. By using this assessment, tester will know thoroughly, how technical attributes performing in the software. In white-box testing, the testers acknowledges and assess the complete internal information and functionality. It is also known as clear box testing or transparent box testing.
  • In black-box testing, tester examines the functionality and features of the application without getting aware of or visiting its internal code structure and implementation details. Mainly, black-box focuses on the input and output of the software system.

    Grey box is a combination of black-box and white-box testing. This technique is performed with limited set of information.

  • Risk Assessment : It is the process of identifying and measuring the potential risks involved in the product or the project which may impact the whole project including the developed application. The assessment commonly determine risks in two dimensions: first is probability and other is impact by using some qualitative and quantitative models.
  • Threat Assessment :The threat assessment is a type of security review, which is very different from others as mentioned above. It mainly focuses on physical attacks rather than technology. The primary objective of threat assessment is to examine the threat (bomb or violence).
  • Threat Modelling :The threat modelling is a methodology for optimizing network security by analysing vulnerabilities which acts as a threat for a system. It is a process of capturing, documenting and visualizing how threat impact on business related environment. Mostly, the focus starts with the threat agent in a given attack scenario.
  • Bug Bounty: Bug bounty may be seen as a program, where websites or the developers used to invite individual users to go through their web applications and services in order to point out and locate vulnerabilities, which may potentially affect the system, drastically. The individual gets a compensation for bug reporting. The reporting is related to exploits and vulnerabilities. The bug bounty program enables developers to design and discover a proper documentation to resolve bugs, before a public user’s awareness. It also prevents an application from widespread abuse. The bug bounty programs are developed by major software providers such as Yahoo, Google, Facebook, Reddit and Square.