What is VAPT?
Vulnerability Assessment and Penetration Testing (VAPT) are both security services that focus on identifying vulnerabilities in the network, server and system infrastructure. Both the services serves a different purpose and are carried out to achieve different but complimentary goals.
Vulnerability Assessment focuses on internal organizational security, while Penetration Testing focuses on external real-world risk.
What is Vulnerability Assessment(VA)?
A Vulnerability Assessment is a rapid automated review of network devices, servers and systems to identify key vulnerabilities and configuration issues that an attacker may be able to take advantage off. Its generally conducted within the network on internal devices and due to its low footprint can be carried out as often as every day.
What is Penetration Test(PT or Pen Test)?
A Penetration Test is an in-depth expert-driven activity focused on identifying various possible routes an attacker could use to break into the network. In-addition with the vulnerabilities it also identifies the potential damage and further internal compromise an attacker could carry out once they are past the perimeter.
What are steps for VAPT?
Step 1) Goals & Objective-Define goals and objectives of Vulnerability Analysis.
Step 2) Scope-While performing the Assessment and Test, Scope of the Assignment needs to be clearly defined.
The following are the three possible scopes that exist:
- Black Box Testing : – Testing from an external network with no prior knowledge of the internal network and systems.
- Grey Box Testing : – Testing from either external or internal networks with the knowledge of the internal network and system. It’s the combination of both Black Box Testing and White Box Testing.
- White Box Testing : – Testing within the internal network with the knowledge of the internal network and system. Also known as Internal Testing.
Step 3) information Gathering-Obtaining as much information about IT environment such as Networks, IP Address, Operating System Version, etc. It’s applicable to all the three types of Scopes such as Black Box Testing, Grey Box Testing and White Box Testing.
Step 4) Vulnerability Detection-In this process, vulnerability scanners are used to scan the IT environment and identify the vulnerabilities.
Step 5) Information Analysis and Planning-It will analyze the identified vulnerabilities to devise a plan for penetrating into the network and systems.