Vulnerability Assessment

The vulnerability assessment learning path guides you through a holistic security assessment approach, where you will develop a well-structured framework for analyzing the security of a system. You will acquire the skills to perform custom vulnerability assessment for any computer system, application or network infrastructure.

The subject

What will you learn?

Syllabus

  • Vulnerability Assessment Skill Assessment

    20 questions

    • See how your vulnerability assessment skills stack up against other professionals in your field.

  • Vulnerability Assessment Project

    8 tasks

  • Vulnerability Management in a Nutshell

    4 videos

    • This course covers the basics of vulnerability assessment, including definitions, scope, policy and process.

  • Introduction to Vulnerability Assessment

    Duration: 11:01

    • Introduction to what vulnerability assessment is, its purpose and why is it valuable.

  • Process Overview

    Duration: 7:46

    • Examines in detail the different steps of the assessment process.

  • Scope Definition

    Duration: 6:24

    • Answers the question: "What are we assessing?" and defines different approaches for the specific assessment.

  • Vulnerability Assessment Policy

    Duration: 4:32

    • Gives you pointers on how to go about creating a vulnerability assessment policy.

  • Vulnerability Discovery

    5 videos

    • This course guides you through five different type of security tools for discovering vulnerabilities in various environments.

  • Static Application Security Testing (SAST)

    Duration: 30:32

    • Define what SAST is and compare different solutions. Demo with Coverity.

  • Software Composition Analysis (SCA)

    Duration: 17:47

    • From drivers to libraries and plugins, open-source is everywhere and it presents risks for your system. Includes a demonstration with OSS Index and VSCode Plugin.

  • Dynamic Network Analysis

    Duration: 25:56

    • Define what dynamic analysis and dynamic network analysis are and compare different solutions. Demo with Nessus.

  • Dynamic Application Security Testing (DAST)

    Duration: 16:09

    • What is dynamic application security testing? A look at top DAST solutions. Demo with the Arachni security framework.

  • Interactive Application Security Testing (IAST)

    Duration: 16:30

    • What is IAST? A look at examples of IAST solutions. Demo with Contrast.

  • Vulnerability Classification

    3 videos

    • This course covers three main topics: false positives, standardized vulnerabilities, and weakness classification systems and threat-based vulnerability/weakness classification.

  • Dealing with False Positives

    Duration: 9:09

    • How to strategically handle false positives in order to narrow down the list of vulnerabilities for further analysis.

  • Standardized Classification

    Duration: 21:40

    • Addressing common vulnerabilities and exposures (CVE) and common weaknesses enumeration (CWE) and how to use them.

  • Threat Based Vulnerability Classification

    Duration: 8:16

    • We will focus on how to organize all the discovered vulnerabilities based on the threat they present.

  • Prioritization and Risk Assessment

    5 videos

    • This course covers how to classify and prioritize vulnerabilities based on real-world criticality measures and how to define the true risk of the vulnerabilities for a specific environment.

  • Intelligent Prioritization

    Duration: 20:01

    • What do you do if you have a huge list of vulnerabilities and only limited time and resources? You prioritize! We will examine the most important factors defining vulnerability priority.

  • Knowing Your Environment

    Duration: 12:53

    • We will look at what you need to know about your system to carry out a thorough assessment.

  • Identifying Assets at Risk

    Duration: 9:16

    • Helping you identify potential attack targets in your environment.

  • Defining the Custom Risk Matrix

    Duration: 10:05

    • Constructing a risk matrix to help us quantify the risks to our organization introduced by security vulnerabilities.

  • Security Risk Assessment (SRA)

    Duration: 18:41

    • What is a security risk assessment and how do we conduct it?

  • Vulnerability Assessment Documentation and Maintenance

    3 videos

    • This course covers how to create comprehensive, clear and easy-to-understand vulnerability assessment documentation, and how to go about keeping the vulnerability findings and scoring current.

  • Reports Creation

    Duration: 11:31

    • A look at how do we capture everything we've done so far in comprehensive report.

  • Risk Score Maintenance

    Duration: 19:42

    • How to update the risk score of vulnerabilities when risk factors are changing.

  • Vulnerability List Maintenance

    Duration: 11:23

    • How do we maintain the list of current vulnerabilities? How to integrate vulnerability scanning in the pipeline.

  • Remediation and Mitigation

    5 videos

    • In this course, we will cover a wide range of topics about the vulnerability remediation and mitigation process, including the most common remediations and mitigations and strategies for deployment of security measures.

  • Common Remediations and Mitigations

    Duration: 11:36

    • What are the most common remediation and mitigation types? How easily can the different types be deployed?

  • Security Measures, Research and Due Diligence

    Duration: 9:39

    • Important points to consider while identifying and researching security measures.

  • Remediation and Mitigation Planning

    Duration: 7:41

    • Defining an approach for bringing the risk to an acceptable level and applying the identified remediations and mitigations.

  • Patching Management

    Duration: 13:55

    • Handling the inventory, testing and deployment of security patches, the most common security mitigation type.

  • Configuration Management

    Duration: 12:28

    • How to keep track of configuration changes across multiple devices. From system hardening deployment to controlling and monitoring for future misconfigurations.

  • Key Security Controls

    7 videos

    • This course covers the top most effective security controls to reduce the overall risk of systems and networks. Recommendation of such controls is a perfect add-on for any vulnerability assessment.

  • Network Access Control (NAC)

    Duration: 11:48

    • Learn what NAC is and discover its main functions and features, how to deploy it and some integration options.

  • Firewall Protection

    Duration: 12:19

    • You will learn about the different types of firewall and their use cases, pros and cons.

  • Enterprise Security Monitoring (ESM)

    Duration: 13:34

    • Learn about the comprehensive, integrated enterprise security monitoring, using Security Onion as a case study.

  • Application Whitelisting

    Duration: 10:51

    • Learn about one of the most powerful endpoint protection mechanisms against malware. We will go though an overview of the technology and will outline a couple of solutions.

  • Next-generation Authentication

    Duration: 7:43

    • Learn about various advanced authentication mechanisms that you can apply in your organization. From standard multi-factor authentication to using biometrics, behavioral and risk-based analytics for more secure authentication.

  • Runtime Application Self-Protection (RASP)

    Duration: 7:44

    • Learn about protecting your application from the inside out! What is RASP, how does it work and what are some RASP solutions?

  • Data Protection Security Controls

    Duration: 15:28

    • Explore different data protection mechanisms for protecting the data at rest and in transit.

The details

What else do you need to know?

  • Meet the author

    Mitko Katsev has nine years of education in system programming and computer engineering, and over eight years work experience in software development and security. He started his career as a software engineer before transitioning into information security and application security. He currently works at his own security consultancy company, ArmadilCo. <br><br> He’s completed various InfoSec/AppSec training and certifications, including SANS Defensible Security Architecture and Engineering (SEC530), SANS Defending Advanced Adversaries - Purple Team Tactics (SEC599), multiple Microsoft security development lifecycle (SDL) trainings and more.

    Mitko Katsev