Vulnerability Assessment (VA)
A vulnerability assessment exercise provides an organization with information on the security loopholes in its digital and IT environment. The main purpose of VA is to detect vulnerabilities, assess the impact and provide appropriate direction based on assessment of the risks associated with those loopholes. This process offers the organization a robust and assured mechanism to secure their digital and IT peripherals. It also helps in significantly reducing the likelihood that a Cyber attacker will breach its digital and IT systems and inflict unanticipated damage to the organisation.
Penetration Testing (PT)
A penetration test, also known as pen test, is a simulated Cyber attack against the digital and IT systems of your organisation to check if any of the identified vulnerabilities (during VA) can be exploited to inflict damage on your businesses. This activity helps to ascertain the severity of the vulnerabilities and helps in prioritizing the fixes, where several vulnerabilities are identified. In the context of web application security, penetration testing is commonly used to augment a web application firewall (WAF).
Stages of Penetration Testing :
- Information Gathering– The first of the seven stages of penetration testing is information gathering. The organization being tested will provide the penetration tester with general information about in-scope targets.
- Planning and Reconnaissance– The reconnaissance stage is crucial for thorough security testing because penetration testers can identify additional information that may have been overlooked, unknown, or not provided. This step is especially helpful in internal and/or external network penetration testing; however, we don’t typically perform this reconnaissance in web application, mobile application, or API penetration testing.
- Discovery and Scanning– The information gathered is used to perform discovery activities to determine things like ports and services that were available for targeted hosts, or subdomains, available for web applications.
- Vulnerability Assessment– A vulnerability assessment is conducted in order to gain initial knowledge and identify any potential security weaknesses that could allow an outside attacker to gain access to the environment or IT assets being tested. A vulnerability assessment is never a replacement for a penetration test, though.
- Exploitation – After interpreting the results from the vulnerability assessment, our expert penetration testers will use manual techniques, human intuition and various tools to validate, attack, and exploit those vulnerabilities.