From Vulnerability Management to Combined Vulnerability Management to Penetration Testing

“A flaw in a system that, if leveraged by an attacker, can potentially impact the security of said system”

Also: security bug, security flaw, security hole

“To use or manipulate to one’s advantage”

“A security hole or an instance of taking advantage of a security hole”

“A software program or tool that exploits vulnerability with the sole purpose of proving its existence”

“A program or tool that does not require legitimate access to the vulnerable system in order to exploit the security flaw”

“A software program or tool developed to exploit a vulnerability in order to accomplish a specific goal”

Possible goals: denial of service, arbitrary execution of code, etc

“The means used by the exploit code to trigger the vulnerability on the target system”

The classic attack uses exploit code. Once a target (be it a server or a desktop) is compromised, the attacker uses it as a vantage point to penetrate the corporate net and to perform further attacks as an internal user

Penetration Testing

Test and fine-tune firewall configuration

Test and fine-tune IDS configuration

Test incident response capabilities

Vulnerability management

Please note that both the Attack & Penetration phase and the Privilege Escalation phase uses exploit code

(Vulnerability management, i.e., scan and patch strategy)

(Vulnerability management + Exploit code)

The attack phase used exploit code

Both the attack and the verify phases use exploit code