Why and How to Become a Vulnerability Assessor
The function of a vulnerability assessor, who is also identified as a vulnerability assessor analyst, is to look carefully at the applications or systems to figure out any vulnerabilities that may exist within them. While we only perceive the job of a vulnerability assessor from a cybersecurity point of view, this job extends to include physical security such as locks, buildings, money in transit, etc.
The core function of a vulnerability assessor is to always search for trouble like identifying any existing flows that seem to be critical in an organization’s network. Then, all the findings should be presented to the manager in form of a comprehensive list that has outlined priorities. Such list is then treated by the organization as a blueprint for improvements.
As previously mentioned, the main responsibility is to get the vulnerability assessment report submitted to the organization’s principals. For the sake of accomplishing this task, there are some sub-tasks that are required from a vulnerability assessor. The following list attempts to tackle most of these assumed responsibilities:
- Look for any dangerous vulnerabilities in an organization’s applications such that no attacker may be able to exploit them afterwards.
- Perform many tests and careful investigations for such critical flaws inside the networks, applications, and operating systems that are supported by the organization.
- Perform some audits on the network security and scan the network on a basis that the assessor determines.
- Make use of the security tools to accomplish his tasks. One of the main tools that should be used is Nessus. This would be really important in order to get the same results in a much shorter amount of time.
- On the other hand, such automated tools may be fooled sometimes. In other words, most of the security tools search for some predefined patterns to find the vulnerabilities or the threats within the network. This means that if the pattern is slightly changed, these tools may be misled, resulting in false negatives. At this point, the role of the vulnerability assessor shines brightly to perform some manual investigations on the network. This helps him to get a real sense of the environment of the organization’s system and helps him to understand more what is to be considered as a threat.
- It is also really important for a vulnerability assessor to be comfortable with writing and developing or modifying scripts and applications that can perform the testing for vulnerabilities in the network or the system in general.
- The rate of false positives has to be managed though. This means that a vulnerability assessor may spend the time to manually look again at the report tying to minimize the number of false positives.
- The detected vulnerabilities also need to be tracked over time and compiled for metrics purposes.
- A comprehensive vulnerability assessment is to be submitted thoroughly based on all of such investigations by the vulnerability assessor.
- It is also really important that a vulnerability assessor provides applicable solutions to all the vulnerabilities after reviewing them in a concrete manner.
- He should also provide the system and network administrators within an organization with required trainings to raise the security standards within the entire organization as a whole.
- A database of all the assessments should be maintained and developed over time by the vulnerability assessor as well.
In general, one can think of a vulnerability assessor as a consultant who look for the security issues from the outside view.
There is in fact a major difference between a vulnerability assessor and a penetration tester. A comparison between them both looks like the following:
- A vulnerability assessor is focused on developing a comprehensive list of security vulnerabilities with priorities to the recommended actions. The clients here are mostly really aware of the fact that they are not the best at security and they want to make some improvements accordingly. They need the vulnerability assessor to help them detecting the vulnerabilities and prioritizing them according to the hazards associated with them.
- A penetration tester on the other hand aims at breaking into a system or exploiting a vulnerability in an application that is presumed to be secure. A client in this case assumes that what they have is already secured and they want the penetration tester to help them make it even more secure against any potential attacks that could be performed from an attacker’s point of view. A typical goal for a penetration tester is to get access into the customer’s database on the internal network, or to get some HR records of the organization modified.
In general, a penetration tester is goal oriented while a vulnerability assessor is a list oriented.
A vulnerability assessor is usually someone who always had an interest in hacking when he was in school or university. He loved to look for vulnerabilities and exploit them. Consequently, a vulnerability assessor may take the role of a penetration tester, or he may also be responsible for some other related tasks apart from the vulnerability assessment tasks. For instance, a vulnerability assessor may have the role of:
- Source code auditor
- Forensics expert
And of course, the role of Security consultant
A vulnerability assessor may be recognized and described as one of the following job title terminologies:
- Vulnerability Assessment Analyst
- Vulnerability Researcher
- Cyber Assessor
- Security Assessor
Because this job is very specialized into the field of computer security, there is no clear average salary for such a job provided by BLS and Payscale. However, through searching for the job title of a “vulnerability assessor” on SimplyHired website, the average salary is $63,000. On the other hand, when searching for the term “vulnerability assessor analyst”, the average salary is $54,000.
It is really important to note that searching for such job titles also include the physical vulnerability assessor jobs in their search results, making the average salaries a bit inaccurate. Nevertheless, for a cyber security specialist, you should expect an average salary of $70k to $80k if you consider working in the Midwest. Or you could earn on average $85k to $95k if you consider a job in either the west or the east coasts.
In fact, there is no particular major or degree that is required for this position. Holding a bachelor’s degree in Computer Science, Cyber Security or any other equivalent degrees is of course good to have. However, it is always desirable to have a real-life experience in the world of computer security before looking for the vulnerabilities and potential attacks. That is what an employer looks for in the very first place. As a result, it is not really required to earn a master’s degree by the time you would be granted the job.
In general, most employers look for work experience of 2 to 3 years before selecting a candidate for a security specialist job. However, this period of time is not written stone, which means that some organizations may require more experience or less depending on the level of security they shoot for.
There are a bunch of general requirements to make sure you are good at before considering a job of vulnerability assessment. The following points may provide you with an intuition of how to get prepared for the job responsibilities, yet employers sometimes require more specific technical skills and they describe that in their job postings.
- A perfect candidate has to be experienced in both Windows and Unix like systems (like Linux)
- Programming languages such as C, C++, C#, Java, ASM, PHP, and PERL should be absorbed well by a candidate.
- A candidate should also be familiar with network scanning tools such as Nessus, ACAS, RETINA, Gold Disk, etc.
- A solid knowledge of both hardware and software systems is highly required.
- Experience with web-based applications and their security is also recommended.
- A candidate should also be familiar with security frameworks such as ISO 27001/27002, NIST, HIPPA, SOX, etc.
- A candidate has to be experienced with Metasploit framework.
- Familiarity with security tools such as Fortify and AppScan is also recommended.
- Surprisingly, programming is not required as long as the job description is involved with network assessment not applications.
Finally, a vulnerability assessor is highly involved in reverse engineering and vulnerability analysis, which implies that a candidate has to be comfortable with these topics.
Don’t take me wrong. Employers look for bad guys here. What? To elaborate, an employer looks for a candidate who is curious enough, creative, and approaches problems in a different and a unique way. This is the core of the job in the first place. You should think of the system as your prey to exploit and attack. You should not play by the rules here. This aspect is applicable for both penetration testing and vulnerability assessment jobs.
Also, some other soft skills such as paying attention to the slightest details and having a puzzler’s brain are really desirable by employers. Finally, having a good oral and written skills and being able to educate people are a plus such that one of the responsibilities is to educate administrators of security practices for better security for the organization.
Well, the following list summarizes the main certifications that are demanded by employers before hiring a vulnerability assessor. Before getting into the list, I want to mention that certifications like CISSP and penetration testing certifications are just a must to have, seriously. On the other hand, there is one certificate that is very specific for vulnerability assessment, known as vulnerability assessment certification (CVA). It is offered by Mile2 which is an information technology security company that develops and provides proprietary accredited cybersecurity certifications.
- CEH: Certified Ethical Hacker
- CPT: Certified Penetration Tester
- CEPT: Certified Expert Penetration Tester
- GPEN: GIAC Certified Penetration Tester
- OSCP: Offensive Security Certified Professional
- CISSP: Certified Information Systems Security Professional
- GCIH: GIAC Certified Incident Handler
- CVA: Certified Vulnerability Assessor