With increased use of web based applications and mobile devices, cyber threats have become very much prevalent. In the current scenario, the confidential data of enterprises is at high risk, both from $$$ and reputation loss. One of the key measures corporates can take to manage the risk is VAPT (Vulnerability Assessment and Penetration Testing).

VAPT is a technical assessment process to find security bugs in an application and/or a network. This is a methodical approach to risk management which helps identify vulnerabilities that may lead to cyber-attacks. Most of these vulnerabilities are caused due to either of misconfigurations or developers not following security practices during software development life cycle (SDLC).These vulnerabilities when exploited can lead to data loss from Confidentiality, Integrity, availability perspective.


Vulnerability assessment (VA)
VA is a systematic methodology to find the security gaps in a network or application. This involves scanning (manual or utilizing tools) process to identify vulnerabilities, further categorized in critical/high/medium/low severity. VA is a non-intrusive process and can be carried out without impacting the infra/applications.

The VA process gives a horizontal map into the security position of the application/network and mostly carried via automated tools. Some of the widely used tools for VA include- IBM Acunetix, Nmap, Nessus, Rapid7 Nexpose

Penetration testing (PT)
(PT) is next step after VA to exploit vulnerabilities. PT involves simulating the actions of a malicious cyber-attacker with objective to expose security gaps and subsequently investigate the risks they pose and determine the type of information that could be extracted if the weakness was exploited. PT process is mostly intrusive and may cause damage to the IT infrastructure/ application, if due care is not taken.

PT does a vertical deep dive and is a manual process in most cases. Burpsuite and Metasploit are commonly used tools for conducting PT.

False positive and false negative are two important aspects of VAPT process. A false positive is when vulnerability actually does not exist, but it gets reported. A false negative is when vulnerability actually exists but it is not reported. As observed by practioners/ethical hackers over the years, automated tools tend to exhibit more false positives as well as false negatives. For this reason, Manual process is considered the best way forward by ethical hackers. The PT process:

Performs manual attack > Analyses the results > Perform attacks based on findings > Conform the results to create a customized attack > Exploits the vulnerability > Repeat steps for all vulnerabilities.

Vulnerability assessment can help identify the loopholes in a system while penetration testing is a proof-of-concept approach to actually explore and exploit vulnerability. VAPT should be a periodically executed process and is one of the key elements of Enterprise Risk management.


By:- Sapan Talwar