A key stage in the security lifecycle is to understand the vulnerabilities that exist across all systems, including clients (both fixed and mobile), within the infrastructure. Regular vulnerability assessments should be a part of any comprehensive security programme. Application and network penetration testing should take place periodically, perhaps every 3 months, with vulnerability assessments as frequently as possible in between.

The number of vulnerabilities catalogued by CERT/CC in 2007 alone was 7,236 – equivalent to just over 139 every week throughout the year. Assessments every 3 months leave companies facing an unacceptable level of exposure, even with aggressive and effective patch management programmes in place. Furthermore vulnerability assessments confirm that patches have actually installed successfully (and that key servers have been re-booted since they were applied).

Failure to address known vulnerabilities is the root cause of over 90% of attacks. Orthus offer vulnerability assessments of both externally Internet facing systems using one or more of the top three solutions available. Equally large internal IP address ranges can be scanned by deploying scanning engine technology on-site. Results are presented in graphical form with technical detail included for remediation activity. Solutions can integrate with internal trouble ticketing systems, and also present prioritised results linked to business criticality of the assets scanned.