A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed.

Vulnerability assessments are conducted against external and internal perimeters to discover the technical vulnerabilities by frequent scans done to identify the unpatched operating system, application flaws and configuration errors. The solutions then recommend the best course of action to address them.

The security scanning process consists of four steps: testing, analysis, assessment and remediation. The first step, vulnerability identification (or testing), is done to draft a comprehensive list of an application’s vulnerabilities. Then, a vulnerability analysis identifies the source and root cause of the vulnerabilities identified in step one. It involves the identification of system components responsible for each vulnerability, and the root cause of the vulnerability. The third step, risk assessment, is done with the objective of prioritizing of vulnerabilities. It involves security analysts assigning a rank or severity score to each vulnerability based on certain pre-set factors. The last step, remediation, closes security gaps. It is typically a joint effort by security staff, development and operations teams, who determine the most effective path for remediation or mitigation of each vulnerability.