Vulnerability assessment (VA) represents a key element of an organization’s information security program. A VA highlights an organization’s security liabilities and helps asset owners, security managers, and business leaders determine information security risk. VAs only report vulnerabilities, though. They don’t substantiate that vulnerabilities actually exist; penetration tests do that.

The past few chapters discussed the tools, ...