We can’t measure or manage risk unless we know about the vulnerabilities in our own software and systems. To do this, we need accurate, timely, and actionable data on vulnerabilities, which means a lot of testing. In the first part of the book, we learned how attackers will exploit some common physical and virtual vulnerabilities. Now let’s learn about the different ways we can find these vulnerabilities ourselves, before the attackers have a chance to exploit them.
We can’t rely on other people to tell us about our vulnerabilities; otherwise, our first knowledge of them is likely to be when they’re exploited by an attacker. In that case, the first we know of a vulnerability is when we’re invited to one of those panicky executive meetings where the fateful words “I think we’ve been hacked” are uttered.