Vulnerability Identification Methods
Techniques for finding vulnerabilities including vulnerability scanning, SAST, DAST, threat intelligence feeds, OSINT, and penetration testing methodologies.
Understanding Vulnerability Identification Methods
Vulnerability identification discovers security weaknesses before attackers do. Multiple methods exist because no single technique finds all vulnerabilities—defense requires layered approaches.
Key identification methods: • Vulnerability scanning — Automated detection • Application testing — SAST, DAST, IAST • Threat intelligence — External vulnerability information • OSINT — Open source reconnaissance • Penetration testing — Simulated attacks
The 2017 Equifax breach exploited a known Apache Struts vulnerability that had a patch available for two months. Equifax's vulnerability scanning program failed to identify the vulnerable server, demonstrating that identification must be comprehensive and continuous.
Finding vulnerabilities first is essential—attackers are always looking.
Why This Matters for the Exam
Vulnerability identification is heavily tested on SY0-701 because it's fundamental to security operations. Questions cover scan types, application testing, and threat intelligence sources.
Understanding identification methods helps with vulnerability management, risk assessment, and security testing. You can't fix what you don't find.
The exam tests recognition of identification methods and appropriate selection.
Deep Dive
What Is Vulnerability Scanning?
Vulnerability scanning uses automated tools to detect known vulnerabilities.
Scan Types:
| Type | Description | Use Case |
|---|---|---|
| Network scan | Scan network devices/hosts | Infrastructure |
| Web application scan | Scan web apps | Applications |
| Database scan | Scan database configs | Data tier |
| Cloud scan | Scan cloud configurations | Cloud security |
Authenticated vs Unauthenticated:
Unauthenticated (external view): - No credentials - Sees what attacker sees - Fewer findings - May miss internal vulnerabilities - Faster, less intrusive Authenticated (internal view): - Uses credentials - Deeper inspection - More findings - Sees patch levels - More accurate results
Scan Comparison:
| Aspect | Unauthenticated | Authenticated |
|---|---|---|
| Credentials | None | Valid account |
| Depth | Surface | Deep |
| Accuracy | More false positives | More accurate |
| Coverage | External view | Internal view |
| Use case | Perimeter testing | Complete assessment |
What Is Application Security Testing?
Application testing finds vulnerabilities in software.
SAST (Static Application Security Testing):
What: Analyzes source code without executing When: During development (shift left) Finds: Coding errors, SQL injection paths, XSS sources Pros: - Finds issues early - Complete code coverage - No running application needed Cons: - Many false positives - Can't find runtime issues - Requires source code access
DAST (Dynamic Application Security Testing):
What: Tests running application When: Testing/staging environment Finds: Runtime vulnerabilities, authentication issues Pros: - Tests real behavior - Finds runtime issues - No source code needed Cons: - Requires running application - Can't find dormant code issues - May not achieve full coverage
IAST (Interactive Application Security Testing):
What: Combines SAST and DAST, instruments application When: During testing with real traffic Finds: Both code and runtime issues Pros: - More accurate (fewer false positives) - Real-time feedback - Correlates code to runtime Cons: - Requires instrumentation - May affect performance - Complex setup
Testing Comparison:
| Aspect | SAST | DAST | IAST |
|---|---|---|---|
| Tests | Source code | Running app | Both |
| When | Development | Testing | Testing |
| False positives | High | Medium | Low |
| Coverage | Code paths | Exposed functionality | Both |
What Are Threat Intelligence Feeds?
Threat feeds provide external vulnerability and threat information.
Feed Types:
| Type | Content |
|---|---|
| Vulnerability feeds | New CVEs, exploits |
| Indicator feeds | IOCs, malware hashes |
| Reputation feeds | Bad IPs, domains |
| Strategic feeds | Threat actor TTPs |
Intelligence Sources:
Commercial: - Recorded Future - Mandiant - CrowdStrike Open source: - CISA alerts - US-CERT - MITRE ATT&CK - AlienVault OTX Industry: - ISACs (sector-specific) - FS-ISAC (financial) - H-ISAC (healthcare)
What Is OSINT?
Open Source Intelligence gathers publicly available information about your organization's exposure.
OSINT Sources:
| Source | Information |
|---|---|
| Search engines | Exposed documents, configs |
| Social media | Employee info, company details |
| Code repos | Leaked credentials, code |
| Paste sites | Data leaks |
| DNS/WHOIS | Infrastructure details |
| Shodan/Censys | Exposed devices |
OSINT for Vulnerability Assessment:
Find: - Exposed services (Shodan) - Leaked credentials (paste sites) - Developer mistakes (GitHub) - Domain information (DNS) - Certificate transparency logs Purpose: - See what attackers see - Find shadow IT - Identify exposure - Assess attack surface
What Is Penetration Testing?
Penetration testing simulates real attacks to find exploitable vulnerabilities.
Penetration Test Types:
| Type | Knowledge | Simulates |
|---|---|---|
| Black box | No info given | External attacker |
| White box | Full info given | Insider/audit |
| Gray box | Partial info | Targeted attacker |
Penetration Test Phases:
1. Planning/Scoping - Define targets - Set rules of engagement - Get authorization 2. Reconnaissance - OSINT gathering - Network mapping - Service enumeration 3. Vulnerability Assessment - Identify weaknesses - Plan attacks 4. Exploitation - Attempt to exploit - Gain access 5. Post-Exploitation - Privilege escalation - Lateral movement - Data access 6. Reporting - Document findings - Provide remediation
Rules of Engagement:
Define: - Scope (what to test) - Methods (what's allowed) - Timing (when to test) - Contacts (who to notify) - Boundaries (what's off-limits) - Authorization (written approval)
How CompTIA Tests This
Example Analysis
Scenario: A company wants to implement a comprehensive vulnerability identification program. They have web applications, internal networks, cloud infrastructure, and mobile apps. Design an identification strategy.
Analysis - Comprehensive Vulnerability Identification:
Asset Categories:
1. Web applications (10 customer-facing) 2. Internal network (500 hosts) 3. Cloud infrastructure (AWS) 4. Mobile applications (iOS/Android)
Identification Methods by Asset:
Web Applications:
Development phase: - SAST: Analyze source code during CI/CD - Tool: SonarQube, Checkmarx - Frequency: Every commit Testing phase: - DAST: Test running applications - Tool: OWASP ZAP, Burp Suite - Frequency: Before each release Production: - Web application scanning - Tool: Qualys WAS, Nessus - Frequency: Weekly Annual: - Penetration testing (third-party) - Scope: All customer-facing apps
Internal Network:
Authenticated scanning: - Tool: Nessus, Qualys - Credentials: Domain admin equivalent - Frequency: Weekly - Coverage: All 500 hosts Unauthenticated scanning: - Tool: Same - Frequency: Monthly - Purpose: External attacker view Discovery scanning: - Find new/unknown devices - Compare to asset inventory - Frequency: Daily
Cloud Infrastructure:
Configuration scanning: - Tool: AWS Config, Prowler, ScoutSuite - Check: CIS benchmarks, security groups - Frequency: Continuous Infrastructure scanning: - Tool: Cloud-native scanner - Targets: EC2 instances, containers - Frequency: Weekly
Mobile Applications:
Static analysis: - Tool: MobSF, Checkmarx - Analyze: APK/IPA files - When: Before release Dynamic analysis: - Tool: Frida, Objection - Test: Runtime behavior - When: Each release
Threat Intelligence Integration:
Feeds: - CISA alerts (free) - Commercial feed (Recorded Future) - Industry ISAC (if applicable) Integration: - Feed into vulnerability scanner - Prioritize known exploited vulns - Alert on new critical CVEs
OSINT Monitoring:
Monitor for: - Company name on paste sites - Credentials in breaches - Exposed services (Shodan) - Code/config leaks (GitHub) Tool: SpiderFoot, theHarvester Frequency: Weekly
Key insight: Comprehensive identification requires multiple methods—SAST for code, DAST for running apps, authenticated scanning for infrastructure, cloud-specific tools for cloud, and threat intelligence for prioritization. No single tool finds everything.
Key Terms
Common Mistakes
Exam Tips
Memory Trick
Scan Types: "Authenticated = All-access pass (deep view)" "Unauthenticated = Unknown visitor (surface only)"
- •Application Testing - "SDI":
- •SAST = Source code (Static)
- •DAST = Deployed app (Dynamic)
- •IAST = Instrumented (Interactive)
Pen Test Types: "Black box = Blind (no info)" "White box = Wide open (full info)" "Gray box = Got some (partial info)"
- •OSINT Sources - "SSDPC":
- •Shodan (exposed devices)
- •Social media (people)
- •DNS/WHOIS (infrastructure)
- •Paste sites (leaks)
- •Code repos (secrets)
Pen Test Rule: "No Rules of Engagement = No testing" (REN) - Always get written authorization!
Test Your Knowledge
Q1.Which scan type provides the MOST accurate view of a system's vulnerabilities?
Q2.Which testing method analyzes source code WITHOUT executing the application?
Q3.A penetration tester is given no information about the target network. What type of test is this?
Want more practice with instant AI feedback?
Continue Learning
Ready for the Exam?
See exactly where you stand on this concept and 182 others.
99% pass rate · Pass guarantee