There are several kinds of vulnerability assessments that can be done. This process is sometimes called penetration testing, although that is only one type/aspect of an assessment.

There are two extremes: at one side is what is sometimes called BlackHat or BlackBox penetration testing. At the other end is directed per-application/product assessment, which is a form of WhiteBox testing.

Types of vulnerability assessments

BlackBox penetration testing and response testing

This is done without the knowledge of the end client customer/user. Often only the CEO or CIO of the client is aware of the effort. The consulting is provided with a "get out of jail free" letter. The consultant team attempts to compromise the clients' security, with the goal of causing some reaction from the customer. The goal is not just to compromise a system, but to elicit a response from the client, and possibly a response from a law enforcement agency.

In such a test it is acceptable for the consultant to compromise one server in order to continue gathering information, and/or attacking other systems.

BlackBox penetration testing

This is a more traditional "scan" - it is done with the knowledge of the client's IT department. The IP address range(s) involved are provided up front, or possibly only a single server, with all other information discovered by the consultant during the course of the "scan".

When a potential vulnerability is found, it is exploited if possible, but no further damage is done. If a critical system is found to be vulnerable, then the consultant will stop and notify the client of this immediately.

The client must then provide the consultant with the access which they would have gotten by a destructive attack on the system, so that they may continue to determine what other systems may become vulnerable, given that "beachhead".

The consultant is engaged for a period of time, and at the end of that period, the consultant writes a report, detailing what information was gathered, and what systems were compromised.

Multiple types of attacks may be used, especially including social engineering.

Vulnerability Scanning

In this version, the scan is done, and version information is used to determine if some particular applications might be vulnerable to an attack.

The attacks are not done, these are passive scans. A report is generated based on what applications & potential vulnerabilities were found by the scans.

WhiteBox penetration testing

The consultant is provided with a map of the network, a list of servers, and a list of relationships. The consultant is asked to then exploit these relationships. If additional information is needed, it is simply asked for.

WhiteBox testing is not about defending against a total stranger, but rather against an insider, a disgruntled former employee, as well as against a very knowledgeable outsider.

Application testing

In the end, all successful penetrations involve exploiting flaws or mis-features in the design or deployment of application software. Application testing is about testing specific applications for specific kinds of faults.

It is typically done by suppliers of software as part of the Quality Assurance phase, however the Xelerance team can act as a 3rd Party QA team for those customers concerned about critical systems.