Vulnerability assessment and penetration testing, abbreviated for VAPT, have become an important part of security testing. It’s an assessment process where computers, networks, operating systems websites, application software etc., are scanned and tested thoroughly to find out the possible flaws and vulnerabilities. These components if left with known or unknown vulnerabilities, may lead to possible threats on the security of corporate data, PII etc.
These two are very much related but different in nature and objective. While Vulnerability Assessment process discover which vulnerabilities are present, Penetration Testing attempt to exploit the vulnerabilities in a system to determine whether unauthorized access or other malicious activity is possible and identify which flaws pose a threat to the application. A penetration test aims to show how damaging a flaw could be in a real attack. Together, penetration testing and vulnerability assessment tools provide a detailed picture of the flaws that exist in an application and the risks associated with those flaws.
The benefits they bring together are:
- Identify programming errors that may lead to cyber attacks
- They help in securing applications from business logic flaws
- They secure infrastructure from internal and external attacks
- They are an important part of risk management
- Organizations can use them as a tool to achieve desired compliance level
- They protect the organization from loss of reputation and money
Following step are involved in this process:
- Defining the scope – It is first and foremost thing to define the scope at the time of performing tests and assessments, which will specify the assets to test and kind of assessment to be done.
- Information Gathering – Based on the scope, more information is gathered about the components to decide on type of testing to be used. There can be three types of testing: Black box testing, grey box testing and white box testing.
- Vulnerability Detection – At this step, assets are scanned using vulnerability scanners for the detection of flaws.
- Information Analysis and Planning – This step is employed to scrutinize the flaws that are identified and this is followed by making a plan to resolve the issues and / or for penetration into the system.
- Penetration testing – At this step, the exposed targeted systems are attacked and penetrated leveraging the flaws identified above.
- Privilege Escalation – An attempt is made to increase in the access using higher privileges, which includes roost or administrative access to the system.
- Analyzing result – This step includes determining the root cause analysis and also making suitable suggestions to ensure the security of the system, by plugging holes in it.
- Reporting – This step involves documenting the vulnerability findings and respective recommendations to take necessary actions to deal with them.
- Cleanup – It’s an important step to revert any changes (if any) done during this activity. Therefore, Cleanup ensures that the files are restored back to the state they were before testing.
By:- Aman Chhikara