In this video, you will learn to describe the vulnerability assessment methodologies. There is something I mentioned before, we normally use in the pen testing world or scenarios, but it could be something that is separate from the pen testing world and this is vulnerability assessment test. So as I mentioned there is tools that will exploit or will try to give us vulnerabilities for each of the systems that we are dealing with. So for example when we have a system and we know that that system runs on port 80 again Apache server on the version 2.4 for example, we could start understanding each of the exploits doing a manual search but, we can use open badge for example to perform a automated vulnerability assessment. So the tool will be run on the on the network from your client and will give us a lot of information from possible exploits that we could use as band testers to gain access to the system. Now the important part of the vulnerability assessment methodology is the vulnerability assessment finish with the report, finish with understanding of the vulnerability. The vulnerability assessment report will not exploit the vulnerability identified on the system. So only will give us the report, only will give us the information to exploit that vulnerability but will not exploit the vulnerability itself. So that's the next step if we're dealing with a pen testing methodology but if we're talking about vulnerability assessment we're just dealing with information that could harm a system or could be used to exploit a system, not necessarily the exploitation process or that Bose exploitation process. That's something important to understand. So here is a weaker scenario recommended by some companies or followed by song companies. So the vulnerability assessment or the vulnerability scanning could be done quarterly or bi-monthly or bi-weekly or on monthly basis, why? Because normally something automated is something that it's already configured in a system, it's already configuring a tool and will be running automatically on a regular basis on the internal network. So when we have all the information regarding vulnerability scanners, we could start trying to patch the systems or adding security into the systems for the vulnerabilities or the exploits not be longer available for attackers to get off access on the system. Now to start or to test that we're doing the correct patching or the correct sanitisation of each of the vulnerabilities that we detect on the vulnerability scanning, normally we perform a penetration testing process. This could be done annually for example, in some occasions one or two times per year it's important or is recommended but this case the pen testers will take not just the vulnerabilities that you already know that you have but probably will take some additional exploits or techniques, for example the social engineering techniques, to try to exploit your systems. So this is something that will be manually made. I mean there is companies that will bring consultants to deploy or to execute pen testing. In the vulnerability assessment scenario, there is not necessarily a consultant but could be a system generated information on the vulnerable list that you have.