Vulnerability testing is categorized into two types as Vulnerability Assessment and Penetration Testing (VAPT). The tests have distinctive strengths and are usually fused to achieve a more complete vulnerability analysis. In short, Vulnerability Assessments and Penetration Testing perform two different tasks, usually with different outcomes, within the same area of focus.
A vulnerability assessment is the testing process used to detect and assign threat levels to as many security vulnerabilities as possible in a given timeframe. One may wonder what exactly qualifies as a vulnerability. It can be defined as:
This testing process involves varying degrees of rigor and an emphasis on complete coverage and can be done using either automated tools or manual techniques. Today most software is multi-layered so vulnerability assessments may target the various different layers of technology by employing a risk-based approach. The most common are host-, network-, and application-layer assessments.
Tools are used to identify and diagnose the issues in the host or the system. These tools load a mediator software onto the target system which traces the event and reports it to the security analyst.
Examples: Cain and Abel,STAT, Metasploit
Used to detect vulnerabilities on the network being used. It does so by scanning all the open ports and identifying the services running on those ports, the tools then disclose the possible risk associated with these services.
Examples: Wireshark, Nmap, Nessus
Used to prevent exploitation by SQL injection by the use of various tools and techniques in order to identify security exposure in database systems of the application being tested.
Examples: SQL Diest, Security Auditor
Conducting vulnerability assessments help organizations identify vulnerabilities in their software and supporting infrastructure before an attack can take place. Vulnerability assessment tools discover which flaws are present, but they do not distinguish between flaws that can be exploited to cause damage and those that cannot. These scanners just alert companies to the preexisting vulnerabilities in their code and where to find them.
A penetration test, also known as a pen test, is a virtually created cyber attack against the test computer system to check for vulnerabilities that can be exploited. In the context of web application security, it is commonly used to augment a web application firewall (WAF).
Pen testing can be used to simulate the attempted breaching of any number of application systems, (e.g., frontend/backend servers,APIs) to identify vulnerabilities, such as unsanitized inputs that are susceptible to SQL injection attacks.
Penetration tests attempt to exploit the vulnerabilities that are detected by a vulnerability scan in a system to determine whether unauthorized access or other malicious action is possible and identify which flaws pose a threat to the application. These tests find exploitable vulnerabilities and measure the severity of each. The purpose of a pen test is to demonstrate how damaging a flaw could be in a real attack rather than find every flaw in a system. Results provided by the penetration test can be used to improve the security policies and patch detected vulnerabilities.
Black Box Testing:
The penetration tester is placed in the role of an external hacker, with no internal knowledge of the target system such as source code and architecture. A black-box penetration test determines the vulnerabilities and loopholes in a system that are exploitable from outside the network by imitating a malicious mindset that an attacker approaches the system with. It relies on dynamic analysis of programs and systems by running automated scanning tools and manual penetration testing. This is also known as the “trial and error” method.
White Box Testing:
Also known as open box testing, It falls on the opposite end of the spectrum from black-box testing and testers are given full access to source code, architecture documentation and so forth. The main challenge with white-box testing is sifting through the extensive amount of data available to identify potential points of weakness, making it the most time-consuming type of penetration testing. Here both static and dynamic analysis approaches are adopted, hence it provides a comprehensive result of both internal and external vulnerabilities. Sophisticated tools are used to ensure that all independent paths of a module are verified and there are no design errors.
Grey Box Testing:
It is a combination of both black and white box testing that combines certain aspects of each type. A gray box tester has the access and knowledge levels of a user, likely with elevated privileges on a system. Typically they also have some knowledge of a network’s internals, usually limited to architecture and design documentation. This increased knowledge can help identify more significant vulnerabilities by putting in a relatively lower degree of work as it helps analysts prioritize and focus their efforts on systems with the greatest risk and value right from the start.
The VA process gives a horizontal map into the security position of the network and the application(breadth over depth), while the PT process does a vertical deep dive into the findings(depth over breadth). In other words, the VA process shows the potential scale of the vulnerability, while the PT shows how critical it is. Due to the nature of work involved in each process, a VA can be carried out using automated scripts and tools, while a PT, in almost all cases, is a manual process as every application is unique and differ in their implementation. Manual testing is preferred because a PT essentially simulates what real hackers would do to a network or application.
When combined, penetration testing and vulnerability assessment tools provide a detailed picture of the vulnerabilities that exist in an application and the risks associated with them
New vulnerabilities are discovered and reported every day by security researchers and product vendors. The failure to detect and mitigate these vulnerabilities leaves the organizations open to exploit by attackers. Companies that have strong VAPT programs are able to prevent or limit the exploitation of flaws. Thus it is highly crucial for every company to adopt some form of Vulnerability Assessment program to manage the risk so that attackers do not catch them unprepared and cause catastrophic damage.