Vulnerability Assessment and Penetration Testing (VAPT)
Vulnerability Assessment and Penetration Testing (VAPT) are the security services that emphasis on identifying vulnerabilities in the network, server, web application and system infrastructure. Both the services serves a different purpose and are carried out to accomplish diverse however complimentary objectives.
Vulnerability Assessment (VA)
A Vulnerability Assessment is an automated review of network devices, servers, web applications and systems to identify key vulnerabilities and configuration issues that an attacker can exploit. VA is generally conducted within the network on internal devices and it can be carried out as often as every day.Vulnerability Assessment is the answer to question "What is the potential weakness on my network?"
Penetration Testing (PT)
A Penetration Test is an in-depth expert-driven activity focused on identifying various possible paths an attacker could use to break into the network. In-addition with the vulnerabilities it also identifies the potential damage and further compromise an attacker could carry out once they are past the perimeter of security. Penetration Testing is the answer of question "What can be a possible path an attacker can use to exploit the vulnerability?"
Vulnerability Assessment and Penetration testing Process :
Goals and objectives
This is where we define the Goals and Objectives of Vulnerability assessment & Penetration Testing.
Scope: We need to clearly define the scope of assignment while performing the tests and assessments.
There are three possible scopes that exists :
Information Gathering
Collecting as much information about the IT environment like networks, IP addresses, operating system versions, etc. it's applicable to all the types of scope defined above.
Vulnerability Detection
In this phase scanners com e into account. Vulnerability scanners such as Nessus, OpenVas, and Nmap etc. are used for scanning the network and IT environment for vulnerabilities.
Information Analysis and planning
Analysis of the identified vulnerabilities in the above process and device the plan to penetrate into the network and system.
How should we define the scope for a Vulnerability Assessment & Penetration Testing (VAPT)?
The scope for each audit depends on the specific company, industry, compliance and standards they follow, etc. However, the following are some general guidelines that you should consider:
Need of Vulnerability Assessment & Penetration Testing (VAPT)?
Cyber-attacks and threats are a real-world problem nowadays with thousands of networks and websites being compromised every day. Some of the normal reasons of why to conduct a Vulnerability Assessment & Penetration Testing (VAPT) are as follows:
Compliance standards or certifications for Vulnerability Assessment & Penetration Testing (VAPT)?
Vulnerability Assessment & Penetration Testing (VAPT) are largely mandated across various industries and sectors. There are a wide-range of compliance standards that need such audits to be carried out periodically. Some of the well-known standards are:
Vulnerability Assessment & Penetration Testing (VAPT) Results?
Vulnerability Assessment & Penetration Testing (VAPT) activity results in the following :
Executive Report:
A high level overview of the activity conducted, summary of issues identified, risk scores and action items. It should be something that even a non-technical reader can review and gain insight into the security concerns highlighted in the report. While IT staffers may need all the technical details, executives are not required to understand the technology. They need to recognize business risk, something a good executive summary will effectively convey. It is vital that business leaders understand what's at stake to make informed decisions for their companies, and the executive summary is essential to delivering that understanding.
Technical Report :
It's a detailed report that explains each issue identified, step-by-step POCs for each issue, code and configuration examples to fix the issue and reference links for further details.
Most reports use some sort of rating system for example (CVSS Score) to measure the criticality of risk, but seldom do they take the time to explain the risk. The client's IT department needs to make instant, impactful decisions on how best to resolve vulnerabilities. To do so, they require approval from the executives. To just state that something is risky does not really means risk all the time. We also need to understand the false positives.
Potential impact of vulnerability:
Risk can be calculated based on these four factors: Value of asset, Potential Vulnerability, Potential impact of vulnerability on business(Threat impact) and likelihood or occurrence.
Likelihood is standard in most assessment reports. Of course, the odds of an exploitation, though important aren't sufficient to define risk. You wouldn't rank a deep-rooted remote code execution lesser than an email address of a developer clearly present in an HTML script. This is because the first would be more impactful to the client.
An assessment report isn't only for the IT staff. Administrators need to see a separate of how vulnerability would straightforwardly influence their organization specifically. Calculating both the likelihood and potential impact of an exploitation into the overall risk is a noteworthy part in an excellent report.
Multiple Vulnerability Remediation Options: Most pentest reports will incorporate a conventional, high level description of how to deal with these issues; however, these generic "catch-all" remediation guides often fall short when it comes to the unique context of the customer's needs. If a client has a vulnerable service running on a webserver that they rely on, the remediation should offer more than just telling them to disable the service altogether. Of course, it's important to let the client know that to block certain attacks, there's a straightforward method of filtering for SQL injections, XSS, or configuring their firewall. That said, a quality pentest report will give you multiple remediation options that are detailed enough to prepare the client's IT team for an immediate resolution. Assuming the internal staff already recognizes how to remediate all vulnerabilities significantly, reduces the value of the pentesting.
Pentesting Services
The scope of pentesting services depends on the kind of operation you wish to explore on the target system. So depending on the target system, the security tester has to decide the type of pentesting services. The pentesting services can be divided into the following category: