VAPT – Vulnerability Assessment and Penetration Testing | 2019 Beginner Guide!
Vulnerability testing is categorized into two types as Vulnerability Assessment and Penetration Testing (VAPT). The tests have distinctive strengths and are usually fused to achieve a more complete vulnerability analysis. In short, Vulnerability Assessments and Penetration Testing perform two different tasks, usually with different outcomes, within the same area of focus.
What is a Vulnerability assessment?
A vulnerability assessment is the testing process used to detect and assign threat levels to as many security vulnerabilities as possible in a given timeframe. One may wonder what exactly qualifies as a vulnerability. It can be defined as:
- A flaw in software design or a bug in the code can leave the application open to exploitation. Harm may be caused by an authenticated or unauthenticated user.
- A gap or loophole in security procedures may result in a security breach when exploited.
This testing process involves varying degrees of rigour and an emphasis on complete coverage and can be done using either automated tools or manual techniques. Today most software is multi-layered so vulnerability assessments may target the various different layers of technology by employing a risk-based approach. The most common are host-, network and application-layer assessments.
Types of vulnerability scanners
Host-based scanner:
Tools are used to identify and diagnose the issues in the host or the system. These tools load a mediator software onto the target system. The tools trace the event and report it to the security analyst.
Examples: Cain and Abel, STAT, Metasploit
Network-based scanner:
Used to detect vulnerabilities on the network being used. It does so by scanning all the open ports and identifying the services running on those ports. The tools then disclose the possible risk associated with these services.
Examples: Wireshark, Nmap, Nessus
Database-based:
Used to prevent exploitation by SQL injection by the use of various tools and techniques in order to identify security exposure in database systems of the application being tested.
Examples: SQL Diest, Security Auditor
Conducting vulnerability assessments help organizations identify vulnerabilities in their software and supporting infrastructure before an attack can take place. Vulnerability assessment tools discover which flaws are present, but they do not distinguish between flaws that can be exploited to cause damage and those that cannot. These scanners just alert companies to the preexisting vulnerabilities in their code and where to find them.
What is Penetration testing?
A penetration test, also known as a pen test, is a virtually created cyber attack against the test computer system to check for vulnerabilities that can be exploited. In the context of web application security, it is commonly used to augment a web application firewall (WAF).
Pen testing can be used to simulate the attempted breaching of any number of application systems, (e.g., frontend/backend servers, APIs) to identify vulnerabilities, such as unsanitized inputs that are susceptible to SQL injection attacks.
Penetration tests attempt to exploit the vulnerabilities that are detected by a vulnerability scan in a system. They determine whether unauthorized access or other malicious action is possible and identify which flaws pose a threat to the application. These tests find exploitable vulnerabilities and measure the severity of each. The purpose of a pen test is to demonstrate how damaging a flaw could be in a real attack rather than find every flaw in a system. Results provided by the penetration test can be used to improve the security policies and patch detected vulnerabilities.
Penetration Testing methods
Black Box Testing:
The penetration tester is placed in the role of an external hacker, with no internal knowledge of the target system such as source code and architecture. A black-box penetration test determines the vulnerabilities and loopholes in a system that are exploitable from outside the network. It does so by imitating a malicious mindset that an attacker approaches the system with. It relies on dynamic analysis of programs and systems by running automated scanning tools and manual penetration testing. This is also known as the “trial and error” method.
White Box Testing:
Also known as open box testing, it falls on the opposite end of the spectrum from black-box testing. Here testers have full access to source code, architecture documentation and so forth. The main challenge with white-box testing is sifting through the extensive amount of data available in order to identify potential points of weakness. Thus, making it the most time-consuming type of penetration testing. Here both static and dynamic analysis approaches are adopted. As a result, it provides a comprehensive result of both internal and external vulnerabilities. We use sophisticated tools to ensure that all independent paths of a module are verified and there are no design errors.
Grey Box Testing:
It is a combination of both black and white box testing that combines certain aspects of each type. A grey box tester has the access and knowledge levels of a user, likely with elevated privileges on a system. Typically they also have some knowledge of a network’s internals, usually limited to architecture and design documentation. This increased knowledge can help identify more significant vulnerabilities by putting in a relatively lower degree of work. This helps analysts prioritize and focus their efforts on systems with the greatest risk and value right from the start.
Difference between VA and PT
The VA process gives a horizontal map into the security position of the network and the application(breadth over depth), while the PT process does a vertical deep dive into the findings(depth over breadth). In other words, the VA process shows the potential scale of the vulnerability, while the PT shows how critical it is. Due to the nature of work involved in each process, a VA can be carried out using automated scripts and tools. Whereas a PT, in almost all cases, is a manual process as every application is unique and differ in their implementation. Manual testing is preferred because a PT essentially simulates what real hackers would do to a network or application.
When combined, penetration testing and vulnerability assessment tools provide a detailed picture of the vulnerabilities that exist in an application and the risks associated with them
Benefits of VAPT
- Identify known security vulnerabilities before attackers find and exploit them.
- Create an inventory of all the devices on the network, including the system information. This also includes flaws associated with a specific device.
- Create an inventory of all devices in the company to help with the planning of upgrades, patching, and future assessments.
- Define the level of risk that exists on the network according to standards provided by organizations such as OWASP and CVE.
- Optimize security investments by establishing a business risk/benefit curve.
New vulnerabilities are discovered and reported every day by security researchers and product vendors. The failure to detect and mitigate these vulnerabilities leaves the organizations open to exploitation by attackers. Companies that have strong VAPT programs are able to prevent or limit the exploitation of flaws. Thus it is highly crucial for every company to adopt some form of the Vulnerability Assessment program. This is to manage the risk so that attackers do not catch them unprepared and cause catastrophic damage.