What are the responsibilities of a Vulnerability Assessor?
A vulnerability Assessor works on applications, system or networks to identify if there are any vulnerabilities within.
In simple words, you will be assessing the different IT projects to see if there are any flaws within the project that would cause trouble. You are then required to present your findings in a report which is known as Vulnerability Assessment report. Your organization will develop improvements based on your findings and recommendations.
As a Vulnerability Assessor, your main job is to deliver vulnerability assessment reports. But you may also be required to do the following:
- See if there are any critical flaws within an application or system which could be used as an exploit for cyber attacks
- You will regularly conduct vulnerability assessments for networks, operating systems, and various applications built in house or acquired from third party.
- Conduct regular network scanning and security audits set by your management
- You will have access to automated tools like Nessus which you will use to reduce any time consuming tasks while you pin point vulnerabilities in the system
- You will also be required to use manual testing techniques that will help you gain better understanding of the situation and will ultimately help in reducing false negatives
- Occasionally develop, modify and test applications or scripts for vulnerability testing
- Reduce false positives by manually validating report findings
- Track vulnerabilities and compile them for metrics
- Write detailed report on vulnerabilities and present it to managers
- Define the requirements for any information security solutions or review existing ones
- Give live training to colleagues over network and system administrations
- Create a vulnerability assessment database and maintain it
A Vulnerability Assessor is someone who often has a lot of interest in hacking. They can move up the ladder to become the following:
- Forensics Expert
- Source Code Auditor
A vulnerability assessor is also known by the following names in the industry:
- Vulnerability Researcher
- Cyber Assessor
- Vulnerability Assessment Analyst
- Security Assessor
The average yearly salary of a Vulnerability Assessor is $77,774. The basic salary starts from around $43,840 yearly and can reach to a maximum of $123,837 yearly (2016 figures).
A degree is not required to take on a job as a Vulnerability Assessor. But you should at least have an associate or bachelor’s degree in cyber security, computer science or a related field to boost your chances. Generally, employers are more interested in work experience.
Work experience required is different from organization to organization. Generally, a good employer will need you to have at least 2-3 years of real life work experience in the field.
A vulnerability assessor is often compared to a bad guy. This is because as a vulnerability assessor, you have to act and think like a bad guy to predict what could come next. Employers demand creativity, curiosity and complex puzzle solving skills in candidates.
You should also have a good attention to detail with a little bit emphasis on oral and written communication skills. Some organizations will require you to have a very strong sense of communication skills because you may be required to educate people in your team or organization.
Below are just some general requirements when it comes to technical skills. It depends a lot on your employer, but having some strong knowledge in the following skills can really help you out. You could also check job listings to see if there are any popular skills you are missing:
- Unix, Windows and Linux operating systems
- Software systems and Computer hardware
- Security products and tools
- Metasploit Framework
- C,C++,C#, Java and other computer languages like PHP and PERL, ASM etc
- Network scanning tools like Gold Disk, ACAS etc
- Understanding of web based applications
- ISO 27001/27002, SOX, HIPPA, NIST etc
The following are some certifications which appear commonly in job descriptions. Check with the company you are interested in working with and choose a certificate that is a trend amongst them:
CEH: Certified Ethical Hacker
CEPT: Certified Expert Penetration Tester
OSCP: Offensive Security Certified Professional
GCIH: GIAC Certified Incident Handler
CVA: Certified Vulnerability Assessor
CPT: Certified Penetration Tester
GPEN: GIAC Certified Penetration Tester
CISSP: Certified Information Systems Security Professional
Latest posts by Jake Ciber (see all)
- USA Muni market is slowly paying attention to cyber risks - June 15, 2017
- The cybersecurity industry will face massive worker shortfall by 2022 - June 8, 2017
- Is cybersecurity a threat to our interconnected future? - May 22, 2017