Vulnerability Asssessment (VAS) is a process to search for any potensial loopholes contain in a system that lead to compromise it. It is imprortant to do VAS one the system to make sure that it will be safely and not affer any ilegitimate access that can affect availability, confidentiality and integrity of the system [1][2]. VAS can be done by out sourcing it to a third party or do it yourself (DIY) depending on the budget and time allocated. It can sometimes depend on the confidentiality of the project that might pretend you from open ot for a third party assessment. By choosing DIY, another thing to consider is implementing the VAS as in standard and common practices to make sure that the system can pass the security requirements needed. Even though there are so many standards, testing guidelnes and common practices for VAS that is available on the net, the process of selecting the best and suitable VAS approach will need you to sacrifice a lot of your time and effort. This paper tries to share some expreriences in setting up some criteria for outsourcing the task. It also shaes the way to simplify standard practice from Open Web Apllication Security Project (OWASP) and turning it into simple practiceyet through assessment process. The assessment was done in a clone environment to protect thereal system from any disruptions and conflict.