Learning Path

Vulnerability Assessment

Learn to develop a well-structured framework for analyzing the security of a system.
8 hours, 31 minutes
Start a Free Trial

What you will learn

What is the difference between doing a vulnerability assessment for a fitness tracker and an internet-connected pacemaker? Quite significant! Simple scanning may be sufficient in some cases, but others require a deeper look. In this path, you'll learn a variety of ways to discover vulnerabilities, classify and prioritize vulnerabilities based on real-world criticality measures, define the actual risk of the vulnerabilities, create and execute an actionable remediation plan, and document and maintain a vulnerability assessment. Finally, you'll learn some key security controls that don't target specific vulnerabilities, but enhance the overall security of your system.
 

Syllabus

Vulnerability Assessment Skill Assessment

Assessment - 42 questions
Vulnerability Management in a Nutshell

Course - 00:32:00
Starting with the basics of vulnerability assessment and the preparation steps, this course guides you through what a risk assessment is, how to set the scope and policy for it and the actual vulnerability assessment process. We will break down the five stages of the process that will be covered in the learning path.
Vulnerability Discovery

Course - 01:47:00
This course is all about tools! We will examine and compare a large list of security tools for vulnerability discovery in five different categories: static application security testing (SAST), software composition analysis (SCA), dynamic network analysis, dynamic application security testing (DAST) and interactive application security testing (IAST). There will be a lot of demonstrations and practical tips and hints on using the security tools.
Vulnerability Classification

Course - 00:39:00
In this course, you'll learn about false positives (including tips on how to identify them), standardized classification (including common vulnerabilities and exposures, and the common weaknesses enumeration systems) and threat-based classification, which involves organizing vulnerabilities based on the threat that they present to the system.
Prioritization and Risk Assessment

Course - 01:11:00
This course focuses on the most important parts of the vulnerability assessment process — vulnerability prioritization and risk evaluation. We will be incorporating inputs from various systems and databases for threat intelligence to assign priority to the discovered vulnerabilities. With that priority-based approach, the most critical issues posing the biggest threats are assessed and addressed first. Risk assessment is covered in depth, using a structured and customizable process for deriving accurate risk scores.
Vulnerability Assessment Documentation and Maintenance

Course - 00:43:00
The first part of this course will cover how to effectively capture the output of the vulnerability assessment in a comprehensive report and how to build that report so it present the most value. The second part of this course will dive into the topic of assessment maintenance. Vulnerability assessment is not a static thing: vulnerabilities evolve and new exploits are being developed daily, so to stay current, the assessment needs to be maintained. This course will focus on the two main aspects of the maintenance — risk score maintenance and vulnerability list maintenance.
Remediation and Mitigation

Course - 00:55:00
This course will cover all the aspects you need to know when addressing security vulnerabilities. From the most common and widely used remediations and mitigations to tips and hints about researching and identifying the most appropriate fixes, defining a complete mitigation plan, covering strategies for fix deployment and configuration and patch management.
Key Security Controls

Course - 01:19:00
This course covers the top most effective security controls to reduce the overall risk of systems and networks. That includes: network access control (NAC), firewall protection, enterprise security monitoring (ESM), application whitelisting, next-generation authentication, runtime application self-protection (RASP) and data protection security controls. All the selected security controls have a broad and comprehensive vulnerability coverage. The course examines multiple open-source and proprietary technologies for implementing the listed security control types.
Vulnerability Assessment Project

Project - 01:14:00
First you'll set up your environment using JDK 11, Maven 3.6.3 and Git. Then you'll use SNYK, static application security testing with Coverity Scan and a risk assessment template to discover, identify and rate the CWEs and CVEs. Finally, you'll find the most appropriate fixes for the two vulnerabilities with the highest risk.

Meet the author

Mitko Katsev has over a decade of work experience in cybersecurity, systems architecture, and software development. His full-service security consultancy company ArmadilCo specializes in helping startups to top fortune 500 medical device manufacturers build and maintain secure systems.

Mitko has studied system programming and computer engineering and has completed several InfoSec/AppSec trainings and certifications, including SANS Defensible Security Architecture and Engineering (SEC530), SANS Defending Against Adversaries - Purple Team Tactics (SEC599), multiple Microsoft security development lifecycle (SDL) trainings and more.

Learn More

The details

Learning path insights

How to claim CPEs

Should you complete this learning path, you’ll be able to download a certificate of completion. Use this to claim your CPEs or CPUs.

Associated NICE Work Roles

All Infosec training maps directly to the NICE Workforce Framework for Cybersecurity to guide you from beginner to expert across 52 Work Roles.

  • All-Source Analyst
  • Mission Assessment Specialist
  • Exploitation Analyst

No software. No set up. Unlimited access.

Skip the server racks and spin up a realistic environment with one click. Infosec Skills cyber ranges require no additional software, hardware or server space so your team can spend less time configuring environments and more time learning. Unlimited cyber range access is included in every Infosec Skills subscription so your team can skill up however they learn best.

Get Demo

Plans & pricing

Infosec Skills Personal

$299 / year

Buy Now 7-Day Free Trial
  • 190+ role-guided learning paths (e.g., Ethical Hacking, Threat Hunting)
  • 100s of hands-on labs in cloud-hosted cyber ranges
  • Custom certification practice exams (e.g., CISSP, Security+)
  • Skill assessments
  • Infosec peer community support

Infosec Skills Teams

$799 per license / year

Book a Meeting
  • Team administration and reporting
  • Dedicated client success manager
  • Single sign-on (SSO)
    Easily authenticate and manage your learners by connecting to any identity provider that supports the SAML 2.0 standard.
  • Integrations via API
    Retrieve training performance and engagement metrics and integrate learner data into your existing LMS or HRS.
  • 190+ role-guided learning paths and assessments (e.g., Incident Response)
  • 100s of hands-on labs in cloud-hosted cyber ranges
  • Create and assign custom learning paths
  • Custom certification practice exams (e.g., CISSP, CISA)
  • Optional upgrade: Guarantee team certification with live boot camps

Unlock 7 days of free training

  • 1,400+ hands-on courses and labs
  • Certification practice exams
  • Skill assessments
Start a Free Trial