There are 3 terms that sound similar, but are actually different in their meanings:

• Vulnerability Scanning: Vulnerability Scanning simply means the process of using Vulnerability Scanners, which are automated tools, to scan or inspect a given system and identify potential harmful vulnerabilities, mis configurations or flaws in it. Apart from identifying weaknesses, it can also predict the effectiveness of countermeasures. Of course, since it is done by using automated tools, it may sometimes give inaccurate results.

  Examples of Vulnerability Scanning software: Nessus, OpenVAS, Nexpose, etc.

  
  

• Vulnerability Assessment: Vulnerability Assessment is not actually a scan, it is a one-time project with a defined start and end date. Usually, an external Information Security Consultant will review your corporate environment and identify a variety of potentially exploitable vulnerabilities that you are exposed to in a detailed report. The report will not only list the identified vulnerabilities, but also provide actionable recommendations for remediation. Once a final report is prepared, the vulnerability assessment ends.

  During such a project, you might do both kind of things:

  1. Vulnerability Scanning (which is the Automated part)

  2. Manual Vulnerability Identification (which is the Manual part)

  So, as you can see, vunerability scanning is just a part of the overall process during a vulnerability assessment project.

  
  

  When I do vulnerability assessment as part of a penetration test, I usually like to give it a different name which is "Vulnerability Analysis". I do this because Vulnerability Assessment is just one of the many steps of penetration testing... But you might remember that I previously explained, Vulnerability Assessment is a seperate project in itself. This can get confusing. So that's why when I do the same Vulnerability Assessment as part of a penetration test, I call it "Vulnerability Analysis", and when I do it as a complete seperate project, I call it a "Vulnerability Assessment". This is not given in any book. But to avoid confusions, this is what I do and other people might have different opinions about it.

• Vulnerability Management: It is not a scan or a one-time project. Vulnerability Management is a "program" which an organization might have, with the goal of continuously finding out the vulnerabilities it has and then dealing with them in appropriate ways. It can contain many different projects like:

  • Identifying Assets That Should Be Tested, Risk Assessment, Information Management, Vulnerability, Assessment, Incident Response Planning, Remediating The Found Vulnerabilities, Verifying That The Vulnerabilities Has Been Fixed, etc.

  For now, you do not need to understand the meaning of any of these specific projects inside Vulnerability Management. I just gave you a basic idea.

So, as you can see, vunerability scanning is just a part of a vulnerability assessment project, and vulnerability assessment is just a part of the overall vulnerability management program.