When it comes to vulnerability testing, what should be in scope? In my view, that’s a really easy question to answer.
Everything connected to your organisation’s network or using your organisation’s resources, including in the cloud, are in scope. The weighting of vulnerability findings will take into consideration their physical location as well as the data they hold and the services they provide. This might also change the frequency of vulnerability tests you run against them. Unless we include it in scope we’ll never know what risk it presents to us.
- Networked devices
- Cloud Services
- Mobile devices (smartphones, tablets, etc.)