Page 1081 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1081
Performing Vulnerability Assessments
Vulnerability assessments are some of the most important testing
tools in the information security professional’s toolkit. Vulnerability
scans and penetration tests provide security professionals with a
perspective on the weaknesses in a system or application’s technical
controls.
Just to be clear on terminology, vulnerability assessments
as they are described in this chapter are actually security testing
tools, not security assessment tools. They probably should be
called vulnerability tests for linguistic consistency, but we’ll stick
2
with the language used by (ISC) in the official CISSP body of
knowledge.
Describing Vulnerabilities
The security community depends upon a common set of standards to
provide a common language for describing and evaluating
vulnerabilities. NIST provides the community with the Security
Content Automation Protocol (SCAP) to meet this need. SCAP
provides this common framework for discussion and also facilitates
the automation of interactions between different security systems. The
components of SCAP include the following:
Common Vulnerabilities and Exposures (CVE) provides a naming
system for describing security vulnerabilities.
Common Vulnerability Scoring System (CVSS) provides a
standardized scoring system for describing the severity of security
vulnerabilities.
Common Configuration Enumeration (CCE) provides a naming
system for system configuration issues.
Common Platform Enumeration (CPE) provides a naming system
