Performing Vulnerability Assessments
Managing security means dealing with changing tools, technologies, equipment, and business requirements. Anyone who follows security updates related to viruses, security threats, and other constantly changing aspects of the security landscape understands that managing change and coping with new sources of potential threat or compromise is a never-ending task. Thus, it's entirely reasonable to say that security is as much a matter of regular, rigorous routine as it is a matter of mastering and keeping up with a body of knowledge and skills.
One important aspect of the security routine is sometimes called the “Inverse Golden Rule”—namely, do unto yourself before others can do unto you. In less poetic terms, this means that as new exploits and vulnerabilities become known, it's essential that you foist them on your own systems and networks. This permits you to assess, and if necessary correct, potential vulnerabilities before a more malign attack permits someone else to use them against your organization.
What an attacker seeking illicit entry into a system sees as a probe for weaknesses, you should see as a security scan that can report on potential sources of exposure or vulnerability. By performing regular security scans on your systems and networks—especially on any points of ingress from outside your network, but also on any points of ingress to classified information and services—you can anticipate what attackers might attempt, and forestall such attacks by taking proper pre-emptive measures.
This explains why many types of security software packages and services include vulnerability checks as part of what they do. Such offerings range from single-purpose security scanners designed solely to probe for and report on vulnerabilities, to more complex, all-encompassing security or network management systems that not only look for vulnerabilities but also provide tools and controls to help deal with them when they occur. Whatever type of tool or regimen you use to assess your system and network vulnerabilities, it's essential to perform such checks at regular intervals to assess your overall security posture. Likewise, it's equally essential to make what you might call emergency or spot checks for particular vulnerabilities as they become known to the security community at large.
Many organizations create service relationships with security companies who perform regular scans on their behalf. Other organizations prefer to keep such activity in-house, and authorize their IT staffs to mount “white hat” attacks (as distinguished from the bad guys, known as “black hats”) and vulnerability scans at regular intervals and as needed. As long as you implement such scans as part of your regular security routine, and make appropriate changes and updates to take cognizance of possible vulnerabilities, it doesn't matter whether you perform the scan or somebody else does it for you. The important thing is that it be done properly and handled correctly.