Introduction to Vulnerability Assessment and Penetration Testing
- October 14, 2019
The cyber threat landscape is ever evolving. Hence, an IT System which was delivered correctly yesterday, may not be safe today. Threats are events that exploit vulnerabilities to do harm to an organisation’s assets. To prevent these potential harm, an organisation will identify new vulnerabilities and either rectify the vulnerabilities or mitigate the risks to an acceptable level.
In this article, we will be focusing on Vulnerability Assessment and Penetration Testing.
Vulnerability Assessment (VA) is to define, identify, classify and prioritise the discovery of vulnerabilities within the defined scope of the IT System(s). There are various forms of Vulnerability Assessment where tools such as scanners are used to discover vulnerabilities. The types of VA is determined by the target systems, e.g. Operating System VA is to discover any vulnerabilities through the OS layer, Network VA is to discover any vulnerabilities(including application types) through the network layer. The two most common Web-based VA are Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). Interactive Application Security Testing (IAST) is the combination of SAST and DAST.
|
|
Static Application Security Testing (SAST)
|
Dynamic Application Security Testing (DAST)
|
Interactive Application Security Testing (IAST)
|
|---|---|---|---|
|
How does it work?
|
Review from inside the application such as source-code review
|
Review from outside the application such as feeding wrong data through the web interface
|
Review both inside and outside, whilst the developer is compiling the codes
|
|
Cons
|
Costly long duration dependent on the experience of the tester
|
Unable to perform comprehensive application analysis since this is carried out externally
|
More focused testing on critical systems and services
|
|
Pros
|
Able to perform comprehensive application analysis
|
Can be done faster as compared to other types of testing due to the restricted scope
|
Average cost and time of testing
|
The type of VA should be determined based on the defined scope of the VAPT. For example, there’s no point doing a SAST for Commercial-Out-Of-The-Box software, but a DAST on COTS can discover new vulnerabilities. There’s no point doing Operating System VA on Network appliances, since the Network appliance OS is pre-hardened and (usually) evaluated on the Common Criteria (CC) guidelines. Minimally a Network VA should be done on an IT System, which has been wholesale migrated to a new network. The Network VA will be able to discover any misconfigured network parameters.
Penetration Testing is when the discovered vulnerability cannot be rectified. The tester will try to exploit the vulnerability to determine the extent of the damage that can be done, if at all. There are 3 types of PT, described in the box below.
|
|
White Box
|
Black Box
|
Grey Box
|
|---|---|---|---|
|
What
|
Tester is fully aware about the system internal workings
|
Tester is not aware about the system internal workings
|
Tester is partially aware about the systems internal workings
|
|
How does it work?
|
Tester is given prior knowledge on the system, and uses this information to carefully craft and exploit to discover any vulnerabilities
|
Tester does not have any prior knowledge on the system, and have to randomly test common exploits before any discovery can be made
|
Tester is given some prior knowledge (usually sufficient only for the defined scope of works) to test common exploits to discover any vulnerabilities
|
|
Cons
|
Costly
Long duration |
Unable to perform comprehensive analysis
|
More focused testing on critical components
|
|
Pros
|
Simulate an internal attack
|
Simulate an external attack
|
Deep but not wide discovery of vulnerabilities
|
The difference between Vulnerability Assessment and Penetration Testing is that the former discovers security flaws present in the organization’s system whereas the latter is used to show how damaging it can be should the vulnerabilities be exploited.
“Vulnerability Assessment is mostly automatic by tools, but Penetration Testing is a hybrid of tools and manual techniques.”
This VA/PT methodology is widely accepted by most security auditing firms. Almost all typical companies do not do their own VAPT but engage external auditors to execute the VA/PT. Depending upon the business objectives, different scope of the VA/PT will be planned. When a vulnerability is discovered, and it cannot be rectified, a PT is done to determine the extent of the potential damage should the vulnerability be exploited. This is the basis of the risk assessment to determine if additional security controls should be implemented. Not all vulnerabilities can be rectified. Some have no patch available as yet (e.g. zero – day), some may have no support today, (e.g. legacy products), and some may not be applicable, as determined by the PT.
Share this page
Related Articles
- All Posts
- Back
- Thought Leadership
- Humans of NITA
- Tech Insights
- Culture
With a digital marketing background in the bathroom ceramics and fixtures industry, Vanessa brings that experience into B2B tech—shaping marketing...
Daryl plays a key role in supporting HR operations at Neurones IT Asia—handling a range of employee-related matters and administrative...
With over a decade of experience in tech sales, Casey brings both strategic insight and client-centric thinking to his role...
