Vulnerability Assessment and Penetration Testing
Vulnerability assessments helps identify loopholes in a system, while penetration testing is a proof-of-concept approach to explore and exploit vulnerabilities.
Join the DZone community and get the full member experience.Join For Free
In these days of widespread Internet usage, security is of prime importance. The almost universal use of mobile and Web applications makes systems vulnerable to cyber-attacks. Vulnerability assessment can help identify the loopholes in a system while penetration testing is a proof-of-concept approach to actually explore and exploit a vulnerability.
Cyber-attacks are increasing every day with the increased use of mobile and Web applications. Globally, statistics show that more than 70 percent of the applications either have vulnerabilities that could potentially be exploited by a hacker or worse, they have already been exploited. The data losses due to this are typical of two types. Either the data is confidential to the organization or it is private to an individual. Regardless of the category, data losses result in the loss of money or reputation. This article explores a technical process that can be adopted by industries and organizations to protect their intellectual property, and if implemented correctly, will result in better risk management.
For those who are new to Vulnerability Assessment and Penetration Testing (VAPT), this is a technical assessment process to find security bugs in a software program or a computer network. The network may be a LAN or WAN, while the software program can be a .exe running on a server or desktop, a Web/cloud application, or a mobile application. Before we get into the technical aspects of VAPT, let’s look at a few of its benefits.
- Help identify programming errors that can lead to cyber attacks
- Provides a methodical approach to risk management
- Secures IT networks from internal and external attacks
- Secures applications from business logic flaws
- Increased ROI on IT security
- Protects the organization from loss of reputation and money
What Is a Vulnerability Assessment?
Vulnerability assessment (VA) is a systematic technical approach to find security loopholes in a network or software system. VA is entirely a process of searching and finding, with the objective that none of the loopholes is missed. It primarily adopts a scanning approach that is done both manually and performed by certain tools. The outcome of a VA process is a report showing all vulnerabilities, which are categorized based on their severity. This report is further used for the next step, which is penetration testing (PT). VA is usually a non-intrusive process and can be carried out without jeopardizing the IT infrastructure or application’s operations.
What Is Penetration Testing?
A penetration test (PT) is a proof-of-concept approach to actually explore and exploit vulnerabilities. This process confirms whether the vulnerability really exists and further proves that exploiting it can result in damage to the application or network. The PT process is mostly intrusive and can actually cause damage to the systems; hence, a lot of precautions need to be taken before planning such a test. The outcome of a PT is, typically, evidence in the form of a screenshot or log, which substantiates the finding and can be a useful aid towards remediation. As a summary, shown below are the steps involved in the VAPT process.
- Scanning the network or application
- Searching for security flaws
- Exploiting the security flaws
- Preparing the final report of the test
Differences Between VA and PT
VA and PT differ from each other in two aspects. The VA process gives a horizontal map into the security position of the network and the application, while the PT process does a vertical deep dive into the findings. In other words, the VA process shows how big vulnerability is, while the PT shows how bad it is. There is one more subtle difference. Due to the nature of work involved in each process, a VA can be carried out using automated tools, while a PT, in almost all cases, is a manual process. This is because PT essentially simulates what real hackers would do to your network or application. Figures 1 and 2 show the VAPT process for network and Web applications, respectively.
While there are multiple tools available in the market, those listed below are well-known for their usability. Although these tools are mentioned as VAPT tools, most of them essentially provide VA only and leave the PT part to the ethical hackers to be done manually. There are a couple of tools, though, which are powerful PT tools and are mentioned as such in the list below.
- BurpSuite (PT)
- Metasploit (PT)
There are two important terms that an ethical hacker must know, especially while using these tools. These are false positive and false negative.
A false positive is when a vulnerability actually does not exist, but it gets reported. A false negative is when a vulnerability actually exists but it is not reported. A false positive can be a nuisance resulting in a waste of time for an ethical hacker, whereas a false negative can be really dangerous, leaving a network or application susceptible to attack, while giving an illusion that everything is alright. It has been observed that automated tools tend to exhibit false positives as well as false negatives. This brings us to the next important question of which method is better — the automated VAPT or manual VAPT?
Automated vs Manual VAPT
The shortest answer is that the manual VAPT is always better and, hence, is a more widely used approach. This is because the automated tools are based on simple logic, which checks either for signatures or behavior. To understand this, let’s go to the basic difference between a software program and the human mind. Listed below are the steps a typical ethical hacker performs for a VAPT.
- Enumerates a vulnerability
- Performs an attack manually
- Analyses the results of the attack
- Performs similar or different attacks based on previous findings
- Assimilates the results to create a customized attack
- Exploits the vulnerability further to see if more attacks are possible
- Repeats the above steps for all vulnerabilities
Each network or application is different, resulting in a very wide range of vulnerability scenarios. From the above steps, it becomes clear that there is a lot of complexity involved in VAPT, wherein, the results of one test decide the actions of the next one. This makes VAPT a process of cascaded intelligence, where you cannot predict the next step and also need to apply years of experience to reach a conclusion. No tool can do this, at least, not as of today, and hence it must be performed manually. An ethical hacker’s job can be made less stressful by automating certain tasks of vulnerability assessment; however, the proof-of-concept part in penetration testing mostly relies on manual ways of exploiting the loophole and gathering the required evidence. Given below are the benefits of manual penetration testing.
- Mimics the behavior of real-life hackers
- Brings a great deal of accuracy to the results
- No false positives
- Provides evidence, enabling the replication of problems
- Helps in fixing a product’s security design issues
VAPT is a methodical approach to risk management. CISO’s or IT heads should, as a matter of strategy, incorporate VAPT in their budgets and risk governance processes. It should be a periodically executed process, and the frequency should depend upon the data’s confidentiality and risk impact. While there are multiple tools to perform vulnerability assessment, penetration testing is a manual process and should be handled by professional and highly experienced ethical hackers. This will ensure genuine cyber-security as opposed to an illusion of being secure.
Opinions expressed by DZone contributors are their own.