What is IT vulnerability assessment?
IT vulnerability analysis is not a firmly defined term, so everyone interprets it somewhat differently and carries it out in practice. We follow the majority and understand it to mean a mostly automated scan for software errors, security vulnerabilities and configuration errors. This type of analysis is to be understood as an absolute "baseline" in IT security and should never be confused with a classic penetration test.
Mit Hilfe einer With the help of a vulnerability analysis, a company can find out fairly quickly whether there are any obvious weaknesses in its own IT infrastructure for comparatively little money. The vulnerability analysis is therefore a first step towards improving your own IT security. As a rule, we act as an external attacker and scan all relevant IP addresses and applications - always in accordance with the customer's wishes. A kick-off meeting is therefore held in advance to clarify everything. A scan from the internal network is also possible.
Who should have an IT vulnerability analysis carried out?
Every company should have regular automated IT vulnerability analyses carried out. It is easy to discover obvious errors. The responsible development teams can then rectify these promptly. The target group for IT vulnerability analyses is all companies that have a financial interest. Some laws stipulate regular vulnerability scans and penetration tests.
What makes DSecured better than other providers?
Most providers usually run an industry-standard software tool against a specific scope and then present the results - if at all. In our practice, we often have customers who show us reports, but are unable to interpret them themselves. The problem with automated solutions is often that you have to set them up correctly and that they still generate a relatively large number of false positives.
We want to take a different approach to IT security analysis. We use various well-known software solutions and supplement these with our own developments and our external attack surface monitoring tool Argos. We analyze and classify the results of all tools and eliminate false positives. The customer receives a report written by us that is easy for the developers to interpret.
"An IT vulnerability analysis is actually worthwhile for every company. "
Damian Strobel - Founder of DSecured
Use our IT vulnerability analysis to find out where your company's weaknesses are.
Which is better? Vulnerability analysis or a pentest?
Better for what? For a rough assessment of a large number of IT systems (IPs, services, applications, API, CMS, ...), an IT vulnerability analysis is better suited than a penetration test. The reason is quite simple: reality. You are not going to carry out a complex, time-consuming penetration test against every single system. That would simply be too expensive and too time-consuming. A vulnerability analysis is the better choice here. It is faster, cheaper and usually provides a good overview of the vulnerabilities in the IT infrastructure.
If the number of systems is limited or the need for data protection is particularly high, a focused penetration test is always the better choice. Here, a specific system is targeted in order to uncover as many security gaps as possible. The disadvantage here is clearly the duration and costs, which are generally higher than with a vulnerability analysis.
Automated pentesting as an interim solution?
An automated penetration test solution is a good interim solution - but will never be able to replace a real penetration tester with a lot of experience. There are security problems that are very difficult to find automatically - examples of this are problems in the area of Broken Access Control or IDOR. An experienced pentester can often combine small software errors to create critical security vulnerabilities. To do this, he must familiarize himself with the software, he must know how the processes work. So far, no solution for automated pentesting can offer anything like this - no matter what the marketing departments promise and how much AI is supposed to be in it.
Software we use for IT vulnerability assessments
In addition to OpenVAS and nmap (including various scripts), DSecured also uses our eASM solution Argos to find unknown security vulnerabilities and problems. The latter provides deep insights into a company's perimeter.
We primarily use Burp Suite and Nessus as automated scanner solutions. These cover classic security vulnerabilities well. Burp Suite is also used to validate findings. We also run our own plugins within Burp.
DSecured is constantly developing special scanners with primarily Golang or Python - these are also used to get an even better picture of the situation. Examples include our tools for path traversals, SSRFs and XSS.
How much does an IT vulnerability analysis cost?
It depends on how large the IT infrastructure is that is to be audited. Other factors include the complexity of the network, the industry or special legal requirements for the software. A customized solution is often required - here it is difficult to say anything about the costs. A simple scan of a web application with a report in PDF form without false positives ranges from 400 to 800 euros. A scan of a small IT infrastructure (up to 10 IP addresses) will cost around 1,000 to 5,000 euros. Larger infrastructures cost correspondingly more.
IT vulnerability analysis: what comes next?
Some companies we have been able to help
Request a quote